TalkTalk is taking legal action against a supplier after a breach at the supplier led to the exposure of customer data at the mobile and broadband firm, putting some customers at risk of fraud.
So far, one customer has been left £2,800 out of pocket as his bank, Santander, refuses to compensate him, reported The Guardian.
HR consultant Graeme Smith of County Durham said he was contacted by a woman claiming to be from TalkTalk, which seemed credible because she knew his name and TalkTalk account number.
Smith was asked to download some software onto his computer to confirm an alleged hacking attempt on his account, and then asked to give his banking details to receive compensation for being hacked.
Smith became suspicious when the caller asked him to leave his landline phone open overnight. He then checked his bank account and discovered a deduction of £2,815.
Santander said it is “really sympathetic” but will not refund the money as it holds Smith responsible for the payment because he gave the fraudsters a one-time passcode (OTP) to authorise the transaction.
According to TalkTalk, a third-party contractor that had legitimate access to its customer accounts was involved in a data breach in 2014, giving the attackers access to some TalkTalk customer data.
Details of the breach and how the TalkTalk customer data have not been revealed due to “ongoing legal proceedings,” but the company said “a small, but significant number” of customers were affected.
Read more about supply chain security
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme (CES) from 1 October 2014
- In 2013, The UK’s newly established Defence Cyber Protection Partnership (DCPP) adopted an ambitious schedule to implement controls to increase supply chain security
- Supply chain due diligence must become a key business operations skill
As a result, the mobile provider said in a “small number of cases” of scams at the end of 2014, customers reported that the criminals were quoting their TalkTalk account number and phone number.
TalkTalk admitted the breach in response to customer complaints on the company’s online forum about calls from fraudsters purporting to be from TalkTalk.
“As part of our ongoing approach to security we continually test our systems and processes and following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures,” the company said in a statement emailed to Computer Weekly.
“We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.
“We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected.”
TalkTalk said it has “taken serious steps” to address the incident and is working with the Information Commissioner’s Office.
“We want to help our customers protect themselves from scams so we are writing to all customers again to warn them about this criminal activity, with full advice, support and a reminder of the many free service TalkTalk offers to try to stop malicious scams reaching them,” the company said.
TalkTalk has emailed all of its four million customers as a precaution to make it clear that the company will never ask them over the phone to give bank account details, reveal their full password, or download any software unless they are part of a pre-agreed trial.
Breach highlights importance of supply chain security
The breach at TalkTalk is the latest to highlight the importance of supply chain security.
When US retailer Target was hit by one of the biggest data breaches in the industry's history in late 2013, the attack was traced back to an earlier breach at to Fazio Mechanical Services (FSM). The heating, ventilation and air conditioning contractor in Pittsburgh was connected to Target's systems to provide electronic billing services, contract submissions and project management services.
There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in the target system
Andrew Avanessian, Avecto
In October 2014, the UK government began requiring its IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme. “It is vital that we take steps to reduce the levels of cyber security risk in our supply chain,” Cabinet Office minister Francis Maude said at the time.
TalkTalk has not revealed any details of the legal action it is taking or the name of the supplier involved in the breach.
Executive vice-president of consultancy and technology services at security firm Avecto, Andrew Avanessian, said it is another reminder that a business is only as secure as the weakest link in its supply chain.
“There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in the target system. Companies need to be more savvy and proactive when it comes to the supply chain,” he said.
Avanessian said attackers often exploit innocent employees and customers with social engineering campaigns.
“Businesses should limit their exposure to this risk by adopting a least-privilege approach to user access. Businesses should prepare for when they are targeted, not if, and take control of who has access to what is the obvious starting place,” he said.
However, customers should also remain vigilant against such attacks and not engage in unsolicited contact that requests personal of financial information.
“If they are unsure of what they are being asked they should hang up and make a call back to the company’s official number, thus confirming authenticity,” said Avanessian.