TalkTalk, we need to have a serious talk…
Hackers have stolen the personal details of thousands of TalkTalk customers, and – in some cases – used them to scam further information such as sensitive banking information.
Yesterday, UK broadband and phone operator TalkTalk emailed customers to tell them that an investigation had uncovered that there had been a significant data breach involving a third party contractor which had legitimate access to customer account details.
As a result, customer account numbers, addresses and phone numbers had fallen into the hands of criminal fraudsters – who were then, in some cases, using them to make scam phone calls to TalkTalk users.
Here is part of the email that TalkTalk sent to its customers:
Following a detailed investigation, we understand that some customer information, including account numbers, could have been illegally accessed in violation of our security procedures. No financial data was at risk as this is encrypted on our systems.
We have been working with an external specialist security company to take urgent and serious steps to prevent this happening again.
Rumours of a TalkTalk data breach have been bubbling up since December , but this is the first official confirmation that a serious security incident occurred.
The company says that since the end of last year it has been “working to find out how it happened, as well as putting in place robust security measures to stop it happening again.” Now that investigation is completed it says it is ready to inform its customers.
That’s too late, unfortunately, for some TalkTalk customers.
For instance, The Guardian spoke to semi-retired HR consultant Graeme Smith, who says that he was called by someone claiming to be a member of TalkTalk’s fraud team, and that they had intercepted a hacker attempting to gain access to his internet account via his router.
By referring to his name and TalkTalk account details, the Indian-accented scammers were able to trick Smith into downloading software onto his computer. He later found over £2,800 had been stolen from his online bank account.
Considering what a major news story this, and the concern that must be being felt by many TalkTalk customers, it’s a shame that there’s currently no mention of the data breach on TalkTalk’s homepage.
Instead, you have to dig down and find an FAQ about the dangers of phone scammers, and scroll to the bottom where an FAQ about the data breach is located.
Details of precisely what occurred are not currently forthcoming, but the speculation will be that it involves lax security at a call centre, perhaps located overseas.
Large companies often bring in third-party call centre services to handle the pain of customer relations and account management, meaning they also have to trust them with access to their customers’ details.
Unfortunately, it’s unlikely that scammers and fraudsters are only targeting TalkTalk – there is a good chance that other ISPs and comms companies have also been on the receiving end of attacks from hackers eager to steal customer data.
This is a point that TalkTalk itself is keen to make, and in its email to customers it emphasises that they aren’t the only ones in the firing line.
Kind of them to think of other firms when they’re suffering their own damaging data breach. (Psst! BTW, TalkTalk. That link to your page about phone scams doesn’t work, because your slash is the wrong way round).
Everyone needs to be on their guard for unsolicited emails and phone calls. If in doubt, go the extra mile to confirm that the person contacting you is legitimate and from the company they say they are.
Often the best way is to visit the company’s real website, and look for a contact number there rather than trusting them to identify themselves truthfully if they call you.
TalkTalk has published guidance for consumers on how to avoid scam phone calls on its website.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
27 comments on “Serious TalkTalk data breach leads to scam phone calls for customers”
I have received scam emails already asking me to change my password, but takes me to an unknown site (obviously I have not clicked it). It's annoying because that email address is ONLY used for my bills. I only received a warning email from talktalk today! At least Graham Cluley is here.
Hi, it's worse than just this. Armed with ONLY the phone number and bank account number (both available from this breach) the talktalk website allows you to reset the password to the account, after which they setup a call divert to India and then arrange over the phone an international transfer which is verified by calling back on the number which has been diverted.
In the example I know of personally the bank was HSBC , I read another case which was the same combination of HSBC and TalkTalk. The person I know of got their money back (which was taken at a special time of a specific day and a specific % of the account to avoid being flagged up) . The person did receive phone calls but was too suspicious to give or confirm any information, eventually getting sick of them and telling them to get lost (after several calls). To be clear, this person gave NO information yet lost thousands of pounds (though returned by the bank as he had tipped them off something may be wrong and they ignored the warning and allowed the transfer).
I contacted TalkTalk suggesting that they should remove the option to setup call divert from the website but heard nothing back.
sorry, the bank was Santander NOT HSBC as mentioned
I got that email today too. No obvious scamming attempts so far.
I think it is bad that you have to get down to paragraph 9 of the email (in my case, off the bottom of the visble window) before any mention is made of a data breach. Many people might have given up reading by then, since it appears up to that point to be a generic "how to avoid scams" type email that we all often get from the organisations we hold accounts with. The admission should have been more upfront.
It's been known since September at least
As well as stealing bank details they will ask to have remote access to your computer once this is established they will install viruses and malware making the computer seriously ill and data may be compromised. They also can use that technique to make it look like your computer has a problem and you need to pay for it!
their targeting b t customers as well —–asian voice calls asking for d/d details on my ans mash—their num—-08000285085
… has been "working to find out how it happened, as well as putting in place robust security measures to stop it happening again."
And, "We have been working with an external specialist security company to take urgent and serious steps to prevent this happening again."
If it can be done now, why wasn't it done in the first place? And to just say beware of scam phone calls and not let on what had happened to their customers' accounts, well, I'm not up with the play on that but wouldn't it be gross negligence?
To say "we take your security very seriously" is simply not true. This applies to most companies who wait to be hacked before taking these "urgent and serious steps".
Having lost almost £4000 on this scam and TalkTalk not admitting any liability Are there any solicitors/lawyers willing to take up our cases on a contingency basis? This cyber crime emanating from overseas needs to be stopped and until companies like TalkTalk are made to 'suffer' financially, then it will only increase. Everybody cannot be cybersmart, some of us tend to trust people. Is it so hard to believe that in 2015, no one can be trusted
I suffered the same scam last week and lost 1900 pounds Has any legal action been started yet .?
The scammers are STILL targeting Talk Talk customers. I had to wrench the phone from my husband's hand this morning to give the Indian lady on the other end what for after I caught him in front of the computer in the process of following instructions from her. This happened half a hour before I had to leave for work – thank goodness she didn't call later when I was out or we might have been victims!
My husband said she sounded very plausible, had all of our account details and said their server had had reports of "rogue software" on our computer.
How many of their customers are going to have to get caught out before Talk Talk take action over this?
The Talk-Talk scam is still going on (June 2015). Interesting that TalkTalk describes it as an attack – their own staff selling on customer details would be far more accurate. A few weeks ago I reported a fault and within days the scammers were calling with with full details of the fault as well as my account details. I almost fell for it but realised what they were up to when the mentioned giving me an online refund as compensation. Reported the matter to Talk-Talk and was sent back a 'full and final email' containing the usual waffle but basically doing nothing. I've now read about this in so many forums covering a long period of time that it's clear Talk-Talk don't really care about its customers' security so I'll be changing supplier.
I had exactly the same about 2 months ago. Had connection problem in the morning, called Talktalk call centre who rectified the problem and the very same day had a scammer trying to convince me they were from Talktalk and I had a virus in my computer and they were going to help me fix it. To much of a coincidence for me. Definitely a security problem with the call centre staff.
This is still happening. I have had many calls from "Talk Talk" but usually hang up.
However, I recently purchased a mobile from the Talk Talk website. On 13th. August I received a call purportedly from "Talk Talk, telling me I had been "hacked" (N.B. Carphone Warehouse/Talk Talk attack this month).. The call centre type voice on the phone wanted me to install Teamviewer (remote access software) to solve the problem. I called his bluff and he hung up.
Two leaks in one year and no information to customers apart from the general security information quoted above on their website… Shame on you, Talk Talk.
Still ongoing – receiving at least two calls a day purporting to be from Talk Talk – and having possession of my account number, name, phone and address – trying to get me to download their software after persuading me that my computer is sending 'bad data' to the talk talk servers.
To try and convince me they get you to open the event viewer and tell me that the various warnings are evidence of this.
When it's pointed out that they're simply administrative messages – like my not accepting microsoft's offer to download Windows 10 and that they're talking rubbish they hang up.
I called talk talk and their complacency is astounding.
I think I'll leave.
I've also recently had phone calls supposedly from TalkTalk telling me my internet connection is at risk from hackers and to switch on my computer where they will give me a few simple steps to stop this. The first call was from 02031293855, as TalkTalk do use 0203 numbers I thought it was a genuine call but I did ask them to call me back in 1/2 hour as I was busy. They did call me back but on 0089567 which of course I ignored as by this time I had realised it was a scam. I reported it immediately to TalkTalk who gave me another number to look out for as they knew other people were being scammed on 02032398334. Funny how all this started the week after I ordered a new sim card for my mobile when I was cold called!
Scam still being perpetrated. I was unaware of anything remiss re TT. I can not believe that I fell for it. But as I have had 'problems' with my internet (slow) and messages re IP conflict on one machine I use, I too thought the call from a woman purporting to be from TalkTalk who knew my account number and obviously my phone number, was genuine. But I did fall for this and allowed the download of remote access (how stupid could I be, knowing how this should work) and even allowed access to my bank online. (Can't believe that I did, having been warning people for years not to do so.) Only when, after 2/3 hours did the so called PC scan give a message that I was due £50 compensation from TalkTalk for the fact that my router had been hacked, and i was then asked to complete a Western Union fund transfer form (to supposedly receive the compensation) did I finally realise that this must be a scam. I immediately phoned TT. I also then went to a different PC using a different internet provider to check my bank and lo and behold cash had been withdrawn. Thankfully there was not much in it anyway. I immediately rang the bank and spoke to the fraud team, who reassured me that the cash had not left my account, as they had already suspected something, and it would e re credited by the end of the afternoon. By the end of the day that has yet to happen but I expect HSBC to keep to their word. So that will be a relief. My list of payments actually shows details of the fraudster's account so I do not know why these fraudsters can not be trapped. I have completed a Action Fraud Police form online. It is strange that this should happen the day after a reset my router.
My experience exactly as others. I got a call from 02031293885 on 11 Sept 2015 saying they were from Talk Talk and my router was flagging up problems. As I had had problems with with my broadband service and they knew my name and number I was prepared to believe them but asked for their name and number so I could ring back. This I did and the phone was answered as Talk Talk with the sound of an Indian call centre in the background.
They persuaded me to download Show My PC onto my computer and then after a long call "diagnosing" problems said I was due a refund and a new router . They asked when it would be convenient to send new router and then asked me to get into bank account to check refund had gone through. At this point I realised it was a scam and the man got cross and his parting words were that I would not be able to use my PC again. He was quite right.
I think they also changed settings on router so that 3 other computers have been infected even though I have up to date virus and malware software on all machines. I am an experienced PC user and am embarassed and appalled that I should be so dumb and stupid to nearly fall for such a scam. But the scammers are clever and convincing.
I have now bought a new laptop and cancelled my Talk Talk account. I felt totally viloated and abused by the experience and the fall out from it it has taken up an inordinate amount of emotional energy and time. Talk Talk showed absoiutely no interest in the fact that I was hacked and did not put me through to their fraud team and their only response was that if wanted to cancel they would charge me.
I now plan to start proceedings in the online small claims court for the cost and distress their negilgence has caused me. The telephone number of the scammers has been in the public domain for months but Talk Talk make no reference to it anywhere.
Just received a call this morning. From a "Henry Thomas". As per the posters above, the call sounds genuine (call centre noise in the back ground). Told me I had problems with my Talk Talk Router. Luckily, I had switched to BT a while back and told him I was no longer with Talk Talk. He immediately hung up…I can see why others fall for this. Especially if you are still with Talk Talk. Why Talk Talk don't publicize this more is appalling…
Had the same call this morning Mon 19th Oct 2015 – just a few hours ago.
Indian guy with a very heavy Indian accent told me his name was ' James Parker ' and that I had a problem with my router.
He wanted me to turn on my PC so he could direct me to a file showing the maleware files I had on the PC and the router.
I knew straight away that there was nothing wrong with either my PC or the router – which you see is evident from me posting this, but deliberately played along with him.
He knew my name and account details bu t I insisted that I talk with his supervisor.
Another chap with an equally heavy Indian accent came on the phone and told me his name was ' David Carter ' – LOL.
He was very assertive and assured me that he was indeed from TalkTalk and that if I didn't follow his instructions then all my online services would crash and have total screen blackout.because of the malware on the router.
There are probably hundreds and thounsands of people here in the UK that would be taken in by those very plausable scammers – especially older people.
My contract with TalkTalk is up next March and I've decided to get my internet service from elsewhere after that.
This happened to me this morning! Again called by thick accented Indian guy, called Chris Martin ( yep Coldplay are in on it to ha ha) claiming to be from Talk Talk. Same conversation, problem with router.
I,thankfully, picked up on an anomaly in the information they provided, but they did have my customer reference number, name and address!!!!
I called Talk Talk, they confirmed they hadn’t called me, but didn’t seem surprised, or even concerned! Absolutely appalling response from them ‘i have made a not on your account….etc’ The person I spoke to, said they had sent all customers and an email about the potential breach, I never received anything, and they were unable to confirm when the email or the letter had been sent, not great confimation on their behalf.
They claimed it was in the press too? I don’t walk round with my eyes shut, or my ears closed but definitely do not know anything about this. I looked it up on Google, and found an article from February this year in the Guardian. The conversation the victim in the article had with the the Scammers matched the conversation I had this morning.
I called 1471, to see if a number came up, it did, called it, and it was in America, and clicked on to a 'Thank you for calling Harvard University….. message!!! I called Harvard, and it is the same voice and message!! I have spoken to some one there, and they are looking in to it. ( unless, of course I spoke to the scammers boss?)
As Graham Mentioned, there is nothing on their website that is visible, why aren’t they making this more public, essentially this could be life changing for some people to loose £2k ++.
Also how can this STILL be going on for at least 8 months, what is being done about this by TT and CPW?
Having experienced this myself today, it is so easy to see how someone could fall for it!! Scary!!!!
Same call to me this morning (27 January 2016) – 'Talk Talk calling about a fault in my router'. Woman spoke very poor English, with strong Indian accent. I did have a problem with sending e-mails yesterday so I did not at first suspect the call until after following instructions (with difficulty) for a few minutes, she asked me to enter a series of letters but she did not know the international phonetic alphabet – so game over – I hung up.
A couple of minutes later I received another call from a man called Martin, who asked me quite aggressively why I had hung up. I asked him who he was and from where he was calling – no reply so I hung up.
I did not enter any sensitive data (banking details, passwords etc.) and the obvious anger of Martin suggested their call had failed. (It was a withheld number). However I reported the call to Talk Talk and shall alert my bank.
I have received four calls in the last week saying that I have a problem with my router. I asked them to confirm my Talk, Talk account details. They were able to quote my account number and asked me to log onto my computer to upload new software. I refused and was subject to verbal abuse.
This is a serious breach of confidentiality as the only way this company was able to access my information was by hacking into Talk, Talk data.
I just had a call frm a lady with a thick Indian accent telling me that my talk talk Internet has downloaded harmful files and that I must turn my computer on and go to a Web site to fix the problem, I told her I don't have a computer so she said use my laptop, I told her I dnt use a laptop so she said how do I access the Internet and I said i use my smartfone as I said that she hanged up immediately,
This is still going on now, I've had a phone call today about malware and viruses trying to access our devices so our Internet would need to be switched off in 2 hours time. They also asked if I would help them fix the problem by telling them which devices we use to access the Internet. I didn't trust them, or their responses to my questions voicing this concern, which skirted around giving me a proper answer, so I didn't tell them anything and hung up. It did sound very plausible though, it's so bad it's still going on and isn't made clearer to customers!
Over the last week 'talk talk' telephoned me at least 7 times. Four times today stating there is a big problem with my 'router'. After the first 3 calls something didn't seem right. Contacted the real talk talk and it was confirmed. The Indians with thick Indian accents were scammers. 'Joe Willaims ' got angry when I said I didn't have a laptop. I told them I had already spoken to talk talk and they had confirmed it was a scam. But they still called back at least 3 times in one day. Talk talk customers should warn Their customers.
The overseas staff sell your details, there are UK only call centre BB suppliers. If your bothered about your security and/or don't want to be pestered day and night from scammers then I suggest you use them.