TalkTalk, the budget brand for broadband and pay-television in the United Kingdom, suffered a further significant and sustained attack on its credibility, after revealing that its customer data had been hacked. It said that details of up to four million customers, including account information and bank details could have been compromised. It later suggested that only partial credit card numbers may have been revealed. There are clear lessons for any online service provider.
In a statement, the company admitted that the data could include names, addresses, date of birth, phone numbers, email addresses, account information, credit card details and/or bank details. The company later said that only partial payment card numbers may have been accessed.
It said it was working cyber crime specialists and the police to establish exactly what happened and the extent of any information accessed.
The company chief executive, Baroness “Dido” Harding, revealed that she had personally received a ransom demand from someone claiming responsibility.
She was unable to say whether any of the information had been encrypted, and much less explain how it came to be compromised.
A possible route could have been through what is known as an SQL injection attack, which simply involves adding commands to a web request to gain access to a database.
Unfortunately, the company did not appear to take the advice published on its web site since 2008. It was recently removed but remains in the Google cache. It offers advice to developers on how to avoid SQL injections.
It appears that the company was subjected to a distributed denial of service attack which may have slowed its systems, distracted security staff, or exposed weaknesses that could be exploited.
It is beyond belief that user account information, let alone bank account information, could be stored unencrypted, if that is the case. Then again, encryption is of little protection if the key is can be accessed.
TalkTalk suggested there was no risk of fraudulent transactions because only partial payment card numbers were stored. It also said that TalkTalk account passwords had not been accessed.
However, even names, addresses, account numbers and partial payment card numbers could be used by fraudsters to trick consumers, and have been in the past.
The customer account section of the TalkTalk web site has been offline for some days, and advises customers to change their password once it is restored.
In the meantime, customers are advised to change passwords on any accounts that may use the same password, monitor their bank accounts, check their credit rating and be alert to further attempts to gain access to their confidential information.
TalkTalk customers might also be advised to switch to a provider that takes data security rather more seriously.
Back in February, TalkTalk admitted “some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures”.
While the company said it had “taken serious steps to remedy this” it appears to have learnt little from the experience.
In August another incident resulted in the theft of up to two million mobile phone customer details.
As a challenger brand, the TalkTalk business is based on value bundles of fixed and mobile telephony with television and broadband. It has recently been seeking to reduce operating costs through increased customer self-service, in a programme it calls “Making TalkTalk Simpler”.
TalkTalk claims to be the third largest pay-television platform in the United Kingdom, with 1.4 million customers, some way behind Sky and Virgin Media but ahead of BT.
However, net television customer additions for the first quarter of 2015 were at their lowest level since the launch of its YouView service.
In its most recent trading update in July, TalkTalk unusually made no reference its television customer numbers. The company appears to be more cautious about revealing customer numbers than customer data. TalkTalk will announce its half-year figures in November, when it can expect questions on its performance.