TV Licence website said it was secure. It wasn’t

Personal information was not encrypted when it was transmitted from customers’ PCs.

Graham Cluley

TV Licence website said it was secure. It wasn't

One of the glorious things about living in the UK is that we have to pay a licence fee if we want to watch television.

It must seem crazy to much of the rest of the world, but it’s a bargain at £150.50 each year (just £2.89 per week) that gives us the glorious (and ad-free) BBC. The BBC is as British as poor weather and bad sex, and we wouldn’t be the same without it.

So how do you pay for a TV licence? You go to, of course.

Sign up to our newsletter
Security news, advice, and tips.

Unfortunately, as blogger Mark Cook revealed last week, the official UK TV licensing website was allowing license purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.

The problem was that the TV Licensing website didn’t force visitors to its HTTPS version. If you used, any data you typed into the site’s online forms would have been sent via an encrypted connection. Good news!

But many users probably weren’t careful enough to ensure that they had remembered the “s” on “https”, and would have unwittingly found themselves on the unencrypted HTTP version instead.

Oh dear. One wonders if TV Licensing have been ignoring the advice of the National Cyber Security Centre, which advises that all webpages should always be served over HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”

Part of the problem with TV Licensing’s site, explained Cook, was that a canonical tag in the website’s source code actually told search engines like Google to prefer the insecure HTTP version over the safer HTTPS edition! D’oh!

This rather undermines the message that one assumes the website’s creators put in the sidebar to reassure licence purchasers that the details they entered onto the site were safe:

Secure website

Whether you’re paying for your TV Licence, setting up a Direct Debit, or updating your details, you can relax in the knowledge that this is a secure website and your personal information is safe with us.

Cook poked the website’s Twitter account about the poor security, only to be eventually told:

“Our website is secure and our website’s security certificates are up to date, so rest assured, personal details are safe.”

However, some hours after Cook published a blog post about his findings, the TV Licensing website was taken down for maintenance. Was this just pure coincidence?

I think not, because on the site’s return it properly forced all visitors to use its HTTPS incarnation, ensuring that any personal information or banking details were sent via an encrypted connection between the license buyer’s PC and TV Licensing’s server.

Furthermore, in an FAQ about the unexpected downtime published on its website, TV Licensing admitted it had been busy fixing its website:

We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.

We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.

Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.

Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us – for example, to set up or amend a direct debit – were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.

TV Licensing is right. There isn’t any evidence that anyone’s data was accessed because of this screw-up. But what they aren’t telling you is that there’s actually no way they would actually know if it had been.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 comments on “TV Licence website said it was secure. It wasn’t”

  1. That's what FirstDirect says as well. To this day they still sending emails to customers with link directing customers to their HTTP login page. :|

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.