Hackers have stolen the personal details of thousands of TalkTalk customers, and – in some cases – used them to scam further information such as sensitive banking information.
Yesterday, UK broadband and phone operator TalkTalk emailed customers to tell them that an investigation had uncovered that there had been a significant data breach involving a third party contractor which had legitimate access to customer account details.
As a result, customer account numbers, addresses and phone numbers had fallen into the hands of criminal fraudsters – who were then, in some cases, using them to make scam phone calls to TalkTalk users.
Here is part of the email that TalkTalk sent to its customers:
Following a detailed investigation, we understand that some customer information, including account numbers, could have been illegally accessed in violation of our security procedures. No financial data was at risk as this is encrypted on our systems.
We have been working with an external specialist security company to take urgent and serious steps to prevent this happening again.
Rumours of a TalkTalk data breach have been bubbling up since December , but this is the first official confirmation that a serious security incident occurred.
The company says that since the end of last year it has been “working to find out how it happened, as well as putting in place robust security measures to stop it happening again.” Now that investigation is completed it says it is ready to inform its customers.
That’s too late, unfortunately, for some TalkTalk customers.
For instance, The Guardian spoke to semi-retired HR consultant Graeme Smith, who says that he was called by someone claiming to be a member of TalkTalk’s fraud team, and that they had intercepted a hacker attempting to gain access to his internet account via his router.
By referring to his name and TalkTalk account details, the Indian-accented scammers were able to trick Smith into downloading software onto his computer. He later found over £2,800 had been stolen from his online bank account.
Considering what a major news story this, and the concern that must be being felt by many TalkTalk customers, it’s a shame that there’s currently no mention of the data breach on TalkTalk’s homepage.
Instead, you have to dig down and find an FAQ about the dangers of phone scammers, and scroll to the bottom where an FAQ about the data breach is located.
Details of precisely what occurred are not currently forthcoming, but the speculation will be that it involves lax security at a call centre, perhaps located overseas.
Large companies often bring in third-party call centre services to handle the pain of customer relations and account management, meaning they also have to trust them with access to their customers’ details.
Unfortunately, it’s unlikely that scammers and fraudsters are only targeting TalkTalk – there is a good chance that other ISPs and comms companies have also been on the receiving end of attacks from hackers eager to steal customer data.
This is a point that TalkTalk itself is keen to make, and in its email to customers it emphasises that they aren’t the only ones in the firing line.
Kind of them to think of other firms when they’re suffering their own damaging data breach. (Psst! BTW, TalkTalk. That link to your page about phone scams doesn’t work, because your slash is the wrong way round).
Everyone needs to be on their guard for unsolicited emails and phone calls. If in doubt, go the extra mile to confirm that the person contacting you is legitimate and from the company they say they are.
Often the best way is to visit the company’s real website, and look for a contact number there rather than trusting them to identify themselves truthfully if they call you.
TalkTalk has published guidance for consumers on how to avoid scam phone calls on its website.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.