TV Licence website said it was secure. It wasn’t

Personal information was not encrypted when it was transmitted from customers’ PCs.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

TV Licence website said it was secure. It wasn't

One of the glorious things about living in the UK is that we have to pay a licence fee if we want to watch television.

It must seem crazy to much of the rest of the world, but it’s a bargain at £150.50 each year (just £2.89 per week) that gives us the glorious (and ad-free) BBC. The BBC is as British as poor weather and bad sex, and we wouldn’t be the same without it.

So how do you pay for a TV licence? You go to www.tvlicensing.co.uk, of course.

Sign up to our free newsletter.
Security news, advice, and tips.

Unfortunately, as blogger Mark Cook revealed last week, the official UK TV licensing website was allowing license purchasers to submit their personal identifiable information and bank details in unsafe, unencrypted plaintext.

The problem was that the TV Licensing website didn’t force visitors to its HTTPS version. If you used https://www.tvlicensing.co.uk, any data you typed into the site’s online forms would have been sent via an encrypted connection. Good news!

But many users probably weren’t careful enough to ensure that they had remembered the “s” on “https”, and would have unwittingly found themselves on the unencrypted HTTP version instead.

Tv license website

Oh dear. One wonders if TV Licensing have been ignoring the advice of the National Cyber Security Centre, which advises that all webpages should always be served over HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”

Part of the problem with TV Licensing’s site, explained Cook, was that a canonical tag in the website’s source code actually told search engines like Google to prefer the insecure HTTP version over the safer HTTPS edition! D’oh!

This rather undermines the message that one assumes the website’s creators put in the sidebar to reassure licence purchasers that the details they entered onto the site were safe:

Secure website

Whether you’re paying for your TV Licence, setting up a Direct Debit, or updating your details, you can relax in the knowledge that this is a secure website and your personal information is safe with us.

Cook poked the website’s Twitter account about the poor security, only to be eventually told:

“Our website is secure and our website’s security certificates are up to date, so rest assured, personal details are safe.”

However, some hours after Cook published a blog post about his findings, the TV Licensing website was taken down for maintenance. Was this just pure coincidence?

I think not, because on the site’s return it properly forced all visitors to use its HTTPS incarnation, ensuring that any personal information or banking details were sent via an encrypted connection between the license buyer’s PC and TV Licensing’s server.

Furthermore, in an FAQ about the unexpected downtime published on its website, TV Licensing admitted it had been busy fixing its website:

We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.

We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.

Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.

Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us – for example, to set up or amend a direct debit – were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.

TV Licensing is right. There isn’t any evidence that anyone’s data was accessed because of this screw-up. But what they aren’t telling you is that there’s actually no way they would actually know if it had been.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “TV Licence website said it was secure. It wasn’t”

  1. Mark

    Hmmm. In the UK we have a TV Licence and not a License ;-)

  2. Stuart

    I would not say the programmes aired on the BBC tv channels are worth the licence anymore.

  3. Gabor

    That's what FirstDirect says as well. To this day they still sending emails to customers with link directing customers to their HTTP login page. :|

  4. Ian Doherty

    TV Licencing are still security amateurs even in December 2021.
    Have been receiving email invites from [email protected] to push an onscreen button to go paperless. But who knows where that may take me or what it might download. Under ‘security’ section they attempt to assure me they are legitimate because they can quote my surname and part of my postcode in the message. Very amateur. Both those pieces of data are freely available on the Electoral Register and every time you order something on line, your email is linked to your address, so name, geographic address and email are a linked item of data widely available in the data Wild West.
    This is not evidence of their legitimacy but rather evidence of incompetence and ignorance of cyber security
    There is nothing up front in the TV Licensing email such as even your licence number etc to assure you the email is legitimate before you push the button, and go down the rabbit hole to who knows where, with their worthless upfront assurance of security.
    It potentially may lower ones caution to further data you may be asked to confirm.
    How can you take an organisation seriously with this idea of cyber security in an increasingly sophisticated world of hack and scam

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.