TalkTalk has come under fire for failing consumers after the company reported a cyber attack on its website that may have exposed details of millions of customers.
TalkTalk said in a statement that police are investigating a "significant and sustained cyber attack" on the its website on 21 October 2015.
The UK phone and broadband provider said the investigation was ongoing – but there is a chance that the attackers may have accessed customer data.
The company – which reportedly has over four million customers – said compromised data may include the names, addresses, dates of birth, email addresses, telephone numbers, TalkTalk account information and even credit card details and/or bank details.
Despite claiming to “constantly review and update” systems to ensure they are secure as possible, the company said not all of the data was encrypted.
“We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future,” TalkTalk said.
However, the TalkTalk sales website and the "My account" services are expected to be restored only by the weekend.
TalkTalk said it is contacting all its customers by email and letter to warn them that their personal details may have been exposed in the cyber attack.
The UK’s privacy watchdog, the Information Commissioner’s Office (ICO) has also been notified of the possible breach of personal data.
An ICO spokesperson said any time personal data is lost there can be a risk of identity theft. "There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings. There are tips and information about identity theft available on our website."
TalkTalk is urging customers to keep an eye on their accounts over the next few months and report any unusual activity to their bank and Action Fraud.
TalkTalk's third data breach
TalkTalk said it had contacted the major banks asking them to look out for suspicious activity on customers' accounts. It added that every customer would get a year's free credit monitoring.
“What’s unfortunate is that this is TalkTalk’s third breach and its second of this year,” said Willy Leichter, global director of security strategy at CipherCloud.
Read more about data breaches
- Drawing on insights from more than 400 senior business executives, research from Experian reveals that many businesses are ill-prepared for data breaches.
- Sony will pay up to $10,000 to each claimant for identity theft losses and up to $1,000 each to cover the cost of credit-fraud protection services in connection with a cyber attack in 2014.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
In August 2014, the company revealed its mobile sales site had been targeted and personal data breached. In February 2015, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names.
“The response is a bit déjà vu too. The company says that it ‘constantly reviews and updates its systems' to make sure they are as secure as possible – but how thoroughly are they protecting their systems if they have yet to encrypt customer details?” said Leichter.
“It seems as if TalkTalk is trying to score points of style over substance. The only improvement this time is that they are notifying customers quicker."
Encryption as a business issue
All organisations should be encrypting all sensitive data as part of a data-centric approach to security, said a panel of information security experts at the (ISC)2 Security Congress, Europe, the Middle East and Africa 2015 in Munich.
“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,” said panellist Frank Weisel, regional sales manager at Vormetric in Germany.
Security is no longer an IT problem, it is a business issue, said Simon Mullis, global technical lead at FireEye.
“The way in which a company responds to such an attack can have a huge impact on its stakeholder value. It's therefore imperative that executives have a firm plan in place to recover from data breaches when they occur, as their company's value swings in the balance,” he said.
According to Mullis, the most important thing is for organisations to stay current in the realm of cybersecurity, as the threat landscape is always evolving
“Therefore, a proactive rather than reactive approach to security is necessary to keep a business as safe as possible from the risk of long-term ramifications. And should a breach occur, being prepared and ready to respond is key,” he said.
Preparation key to data security
The cyber attack on TalkTalk underlines the fact cyber crime is a clear and present danger to all businesses, regardless of size, industry or geography,” said Richard Beck, head of cyber security at QA.
“When it comes to mitigating the risk of a cyber attack, organisations should take the following approach - detect, defer, defend. A key element of this preparation is ensuring that employees have a good understanding of the threat landscape together with the steps they can take to help keep these increasingly sophisticated and determined cyber criminals at bay,” he said.
News of this latest cyber attack should be a wake-up call for all companies serving consumers and storing their personal data, said Richard Parris, chief executive at Intercede.
“In an independent survey of 2,000 16-35 year old consumers it was revealed that very few place any significant trust in companies’ ability to protect their personal data. For telecommunications operators, 40% described their level of trust as ‘none’ or ‘a little’,” he said.
According to Parris, it is time major businesses gave the issue the attention it deserves. “They need to stop relying on simple password-based authentication and to start applying enterprise-grade systems.
“Protecting customers’ private data should be a top priority for any organisation. Failure to demonstrate that adequate safeguards are in place will inevitably result in customers, and revenues, disappearing,” he said.
Thriving market for stolen data
Raj Samani, chief technology officer for Intel Security Europe, said initial reporting suggested the most recent attack on TalkTalk used distributed denial of service (DDoS) attacks as a potential smokescreen to hide the cyber criminals ultimate goal – data theft on a huge scale.
“While it is too early to draw conclusions, we know from previous incidences – such as Operation Troy – that this tactic has been successfully used in the past,” he said.
Intel Security’s recently published Hidden Data Economy report revealed that the marketplace for stolen data is thriving.
“Not only are huge amounts of stolen information readily available online, but buyers do not even have to delve into the darknet to access this information. Almost any information you can imagine can – and is – being sold online, extending far beyond credit card details,” said Samani.
“Data breaches and hacks are hitting the headlines on a regular basis, leaving swathes of sensitive customer details in the hands of criminals. Businesses should be ensuring the right security measures are in place to effectively protect this information,” he said.
According to Samani, affected organisations are learning that a quick reaction is vital. “Recognising when a data breach has occurred and moving quickly to inform customers is key if they are going to stop cyber criminals from exploiting any stolen data,” he said.