TalkTalk became the latest company to fall victim to the increasing trend in cyber crime. Current estimates are that the personal details of up to 4m customers have been accessed. In a statement the TalkTalk website reveals the following:
“The investigation is still ongoing, but unfortunately there is a chance that some of the following data may have been compromised:
Dates of birth
TalkTalk account information
Credit card details and/or bank details”
– All information which could be used for identity fraud.
How to protect yourself
Change your TalkTalk password to a strong password, and if you have used the same password for other websites change them immediately. A strong password will be at least 8 characters long, with upper and lower case letters, numbers and characters. Avoid dictionary words and using the same password for other websites.
Be aware of any unusual activity on your bank accounts. Do not repsond to any requests, by email or telephone, however realistic, for personal details or for your password. No bank will ask you for this. Report any suspicions to
Action Fraud either on line or by telephone 0300 123 2040
How did it happen?
Customers now have all this responsibility placed on their shoulders and obviously want to know why they have been put in this position. The official line from TalkTalk is that they take data security very seriously, and that they have worked with leading security experts to ensure their systems are secure. Now they are working with cyber crime experts, security services and the police to investigate the breach.
They have disclosed that the attack was through their website, and that, when they noticed unusual activity on this, they immediately closed it down to try and secure it. But they probably will not know how long this attack has been happening, and exactly what data has been accessed until the security experts have completed their investigation. Sometimes hackers will gain access by either a weakness in the website software, which may not have been updated, or by persuading someone inside a company to make a mistake which would let them in. Once in, they will have gained access to the back end systems, then escalated priviledges and been able to access this data.
A company who was taking their security of their customers data seriously would have encrypted any sensitive data, but TalkTalk have disclosed that not all of the data was encrypted!
Not the first cyber security data breach suffered by TalkTalk
More worrying is the fact that this is not the only cyber security breach they have suffered. It is the third time this has happened, once in December 2014 and then February 2015. The Guardian reported in December 2014 that customers had complained that they had been contacted by by ‘India-based scam calls’ where their personal details were known. The Guardian reported in February 2015 that customers had lost thousands of pounds due to personal details falling into the hands of criminals which they had traced to a third party contractor who had had legitimate access to customers accounts.
Has TalkTalk breached the Data Protection Act?
In answer to this question TalkTalk respond:
“No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months”.
The Data Protection Act says:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Principle 7 of the Data Protection Act states
” …you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively”.
It will be interesting to see what unfolds from the police and security services investigations.
To find out how you can protect your organisation from cyber crime and improve your cyber security contact Securious