Six months on from the TalkTalk hack – how has the firm suffered?

Hack costs telecoms firm £42 million, but consumers have short memories.

Dido Harding, TalkTalk

Just over six months have passed since UK telecoms operator TalkTalk found itself on the front pages of national newspapers and apologising for its sloppy security.

In my view, TalkTalk acted pretty badly before the hack (there had been a string of other data breaches involving the firm in the previous 12 months) and shoddily afterwards to its defrauded customers.

But for most people, their memory of the breach will be forever associated with CEO Dido Harding (also known as Baroness Harding of Winscombe) performances on live TV news broadcasts. Ms Harding often appeared to be out of her depth as she attempted to reassure customers that the firm could be trusted with their personal data.

Sign up to our free newsletter.
Security news, advice, and tips.

It was like watching Bambi attempting to walk for the first time, as a juggernaut bore down on her… its headlights blazing…

TalkTalk's CEO offers some poor advice, following hack | Graham Cluley

It later transpired that the data breach wasn’t quite as bad as it might have been. TalkTalk described how “only 4%” of its users were affected by the hacking attack on its systems, a mere 156,959, had their details accessed.

That’s not much consolation for those 157,000 individuals – but was clearly a lucky escape for TalkTalk which didn’t appear to have rescued the information of millions of its other users through any skill of its own.

Indeed, it seems that far from being “highly sophisticated” as TalkTalk liked to describe it, the attack was a rudimentary SQL Injection attack (or “sequential attack” as Dido Harding chose to incorrectly describe it to the Financial Times).

SQL injection attacks are not new. They are security 101. Any web developer worth his salt should know about the risk of SQL injection attacks, and harden their code to prevent them from succeeding.

In total, six individuals under the age of 21 have been arrested in connection with the TalkTalk hack.

Six months on…

TalktalkSo, it’s now just over six months on – what has been the impact on the company?

Well, as The Independent reports, TalkTalk’s profits have more than halved – falling to £14 million compared to £32 million a year before.

Furthermore, the hack is said to have cost TalkTalk a stonking £42 million, and saw 101,000 subscribers leave the firm in Q3 2015.

Ouch! Mind you, I suspect the figure might have been much worse if TalkTalk had allowed other subscribers to break their contract following the hack a little more easily.

As it was, TalkTalk only allowed victims to quit the firm if they could prove they were defrauded as a direct result of their personal information being stolen from TalkTalk, rather than as a result of a scammer using the stolen TalkTalk data to extract further details while posing as a TalkTalk employee on the phone.

Talk talk waiver

“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack (rather than as a result of any information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees.”

Was that really demonstrating good customer service? I wasn’t convinced.

In an interview today with BBC News, Dido Harding is clearly putting a positive spin on things, as the company saw improved results in Q4, adding 148,000 subscribers:

“I am actually very encouraged by the way the business has bounced back so strongly in the last quarter. The customer base has really stabilised and this is testimony to the fact that our customers really appreciated our open and honest approach and how we tried to look after them through the cyber attack.”

Hmm. I’m not sure I quite buy into that explanation.

I think what’s happening here, and has happened with other high profile hacks in the past, is that the public has proven it has a short memory.

When a hack is making the TV news and hitting the headlines, customers are often boiling with rage and threatening to close their accounts.

But as time goes by, tempers subside, and – unless you were one of the poor unfortunates who lost thousands of pounds as a result of TalkTalk’s incompetence – it’s all too easy to forget how you were treated before, and allow contracts to renew rather than switch providers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “Six months on from the TalkTalk hack – how has the firm suffered?”

  1. SteveG

    Very true, people just don't care enough, all they want is cheap Internet access no matter what the level of safe guards are in place for the service.


  2. Former TT customer (preferring to remain anonymous)

    I was a TalkTalk customer but had left a few weeks before the hack news broke. Since the hack I've had several obviously fraudulent calls to my landline (the number hasn't changed since I moved to a different company) purporting to be from a TalkTalk call centre and saying they needed to discuss something with me about my account. After the first of these I contacted TalkTalk to try to find out whether my details, along with those of any other former customers, were divulged in the hack, but they seemed unable or unwilling to even understand the question, never mind answer it. I therefore believe that the figure the company released of accounts affected may well be lower than the actual number of people affected, as I am sure they will only have admitted to extant customers affected and not have included numbers of former customers whose data may also have been lost. The fact that TT – along, doubtless, with thousands of other companies in many different industries – do not delete/destroy the personal data of former customers after accounts are closed down should be a matter of much greater concern to customers and politicians/lawmakers. Deletion should be mandatory and there ought to be fines significant enough to provide a deterrent to any company tempted to retain data longer than necessary.

  3. SlipperyJim

    I started getting spam calls to my home office (Talk Talk) landline on the Sunday; they came clean on the Thursday. I was getting one or two spam calls a day, which I didn't answer if the caller ID looked wrong. After two weeks the calls tailed off.

  4. Lee Grant

    I run a computer repair business. I estimate that of all the scam calls my customers tell me about, 95% are TalkTalk customers.

  5. Andy Brazil

    Yep, just had a scam call: they knew the account name and number, wanted me to log on to so they could control the PC. Hung up on them, called talk-talk to tell them the scammers were the last incoming call on my line. They weren't interested, said they couldn't get the number. It's your phone-line guys, even a withheld number has to have routing information in your logs. Talk-talk clearly aren't interested in catching these people.

  6. Sarah

    I've been getting calls from 'talktalk engineers' for as long as I can remember, long before the hacking. The news of the hacking actually shocked me like it was all new to them?! I had been telling talktalk about it for ages! It all started sometime early last year, I had a call from an Indian lady claiming to be from talktalk asking me if my internet had been running slow, I had my doubts because she asked me about websites I use to do my online shopping but as my internet was actually slow I kind of trusted her and followed her instructions. I started to download a software, then she told me to leave it until it was completed and the call ended. I had a really bad gut feeling and thought about things she said that didn't seem right like why would she want to know where I shop online plus the software wanted me to confirm that I knew and trusted the people before confirming to continue and I obv didn't but she was convincing me to press continue so I cancelled the software mid running. Anyway, I told my brother who is a computer engineer about it, he went perzerk at me and cleared everything off my laptop straight away. A few days later I had a call again from the same lady telling me there was a problem repairing the issues on her side, when I told her I had cancelled the software while it was downloading, she actually yelled at me down the phone so I hung up on her and informed talktalk. Talktalk told me they are scammers and not to entertain these calls, I wanted to know how these people got my number but they couldn't tell me. Even after I complained and threatened to leave they just didn't seem to care, offer any explanation or remorse. Just told me how long my contract is and termination fee which I refused to pay and carried on as normal. I still get these scam calls now, the last one I had was a few weeks ago, a man called stating he was a talktalk engineer, he told me he was really sorry but my internet was going to have to be disconnected that day, I told him that was fine and he suddenly lost his temper for no reason at all and yelled at me down the phone asking why I was okay with that so I hung up and informed talktalk again who told me to register my number with a company who will stop these calls coming through and told me how I can block numbers ( I had to buy a new landline with a display screen so that I could see the number phoning me and block it). Still absolutely no explanation to how the scammers got hold of my number, no suggestions of goodwill, nothing. A man beforre that called posing as a talktalk engineer and hung up when I told him I don't have a computer. The calls I have had to put up with have been a little abusive as I have had no reason to get shouted at, its my internet if I don't care its going to be disconnected or if I've stopped software running why get so angry at me? It's so obvious they are not calling from talktalk and they are extremely rude, bad tempered and unproffessional. Good on the customers who are sueing talktalk.

  7. John Cox

    I was scammed properly from this company during my contract when after first month they changed the monthly direct-debit payment without warning and explanation , increasing the charge consistently for an simply broadband. I tried to switch off my contract with them after hacking attack last year, but I can't leave the company about a fee , they sharing my information with an debt recovery company who threatened me to pay the contract closure plus a supplementary charge for this company,, For what all this?? For couples months of contact with this wonderful company, I was scammed and hacked from them to pay a lot of money for an very poorly service who many times was out of order for days and more more… I think this company is act in this way, they don't have any interest to provide a quality service when they have the possibility to win a lot of money only forcing you to leave after couple weeks or months. Why nobody can close down this bunch of scammers?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.