The UK broadband and telecom provider TalkTalk has announced a major data breach potentially affecting more than 4 million customers.
TalkTalk said there is “a chance” customer data lost in the breach includes vital personally identifiable information: names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account details and payment card information.
The company is advising customers to monitor their bank accounts for signs of fraud, and has pledged to set up some kind of free credit monitoring service in the coming days.
Meanwhile, TalkTalk customers are unable to change their account passwords until TalkTalk’s My Account website is restored – the site was still down as of 5pm BST on Friday, 23 October.
The company said it has taken the site down “as a precaution” while an investigation is ongoing:
The TalkTalk website is unavailable right now
We are working to restore My Account as quickly as possible. You don't need to change your password until My Account is restored. As soon as it is, we'll explain how to do it.
The company said that a “sustained cyberattack” on its website began on Wednesday, 21 October.
A spokesperson told the Register that the TalkTalk website was also hit by a distributed denial of service (DDoS) attack, which flooded the website with fraudulent traffic and prevented legitimate users from accessing the site. But that wouldn’t explain the data loss.
Sophos security expert James Lyne speculated that malicious hackers may have used the DDoS attack as a smokescreen to distract TalkTalk’s IT team while the attackers broke in and stole customer data, but we cannot be certain until TalkTalk can review what happened.
TalkTalk CEO Dido Harding has been talking to the media since Thursday, including telling the BBC that she had received an email from the purported attackers demanding a ransom for the stolen data.
TalkTalk hasn’t yet told its customers precisely what information was stolen, although it said it hasn’t determined the full extent of the attack – in its FAQ on the incident, the company said it’s “too early to say” how many people were affected and how much data was lost.
That’s understandable – two days is hardly enough time to conduct a full investigation.
But TalkTalk also said not all of the data was encrypted, without providing more information such as: which data was encrypted, and how was it encrypted?
James Lyne says it would be helpful if TalkTalk was much more transparent about these facts, because people rightly want to know how much risk they face in terms of of bank, credit card, or other forms of identity theft.
Even if vital information was encrypted, poor implementation could render the encryption worthless, according to James:
Encryption is worthless if the key was available to attackers. Still, some honesty around how that information was stored could really help risk assessment.
This is the third incident of data loss affecting TalkTalk customers this year.
In February, TalkTalk began warning customers that “a small number” of its customers had been victims of fraud.
Scammers used stolen customer account numbers and phone numbers to contact customers, pretend they were TalkTalk employees, and trick some people into divulging their bank account details.
Then, in August, some of TalkTalk’s mobile customers had personal information stolen by cybercriminals who attacked a partner’s website.
Something quite similar happened with the recent breach of 15 million T-Mobile customers’ data, which was actually stolen from Experian.