TalkTalk has become the latest business to admit that it had lost customer data, including credit card information, due to a cyberattack. According to one source up to 4m customer records are believed lost.
The attack took place on Wednesday and details were posted on the TalkTalk help site from Tristia Harrison, Managing Director (Consumer) TalkTalk. In her page she says:
“We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:
Dates of birth
TalkTalk account information
Credit card details and/or bank details
We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
What is surprising about this post is that there is no mention of customer data being encrypted and hard to access just an admission that the data may have been accessed. It will concern customers that their details were not encrypted as this is best practice for any company holding payment details. It is also a requirement for PCI compliance and if this is a PCI breach it could result in a very heavy fine for TalkTalk.
According to a comment on the UK Card Association website: “Make sure that you are only keeping data that is essential and ensure it is encrypted and/ or masked.”
There are many questions that people will want the answer to. Among them are:
- Was it an external or internal attack?
- Did the attack exploit poor security?
- Were the credentials of staff at TalkTalk compromised prior to the attack through a phishing attack?
It is too early to know if it was any of these. All we know at the moment is that TalkTalk was hit by a Distributed Denial of Service attack which was cover for the theft of data.
What to do if you are a TalkTalk customer
Harrison has said that TalkTalk is contacting customers and informed banks of the details of the customers who accounts have been compromised. She also recommends that customers check their credit report with the major credit agencies.
Unfortunately there is no offer from TalkTalk to help protect customers by paying for credit reports for a year or two. This is a shame as it would at least show that TalkTalk realises it needs to do more than place the onus on customers as it wasn’t the customer who lost the data. US companies are increasingly offering to pay for credit reports and it is time the Information Commissioners Office made that a requirement here in the UK.
Customers should also change all of their passwords in case their email has also been compromised. This is one of the first things attackers like to do so that they can reset bank and other online financial system passwords without the customer knowing about it.
According to a statement by Jon French, security analyst of AppRiver: “The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information.
“If someone calling or emailing you already has information like name, address, email address, or other account information, that doesn’t mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password.”
(Next: Beware the unexpected phone call)