Personal details of 4,500 customers found online, despite being told by TalkTalk the data had not been compromised
The personal details of 4,500 TalkTalk customers have been discovered online after it was leaked as part of the hugely damaging data breach of the Internet Service Provider (ISP) in 2015.
BBC Watchdog found the details of the customers online four years after the breach, and to make matters worse, these customers had been informed by the ISP that their data had not been affected by the breach.
In late 2018 two Staffordshire men were jailed after they admitted the roles they played in the huge data breach at TalkTalk in 2015 that cost the ISP £77 million and resulted in 157,000 TalkTalk customer records being stolen.
BBC Watchdog conducted the investigation after viewers contacted it, worried that their data had been involved in the 2015 data leak.
TalkTalk told them previously they were not affected by the breach, but Watchdog researchers using a simple Google search it seems were able to find the compromised data of some 4,500 customers including name, address, email, bank details, landline and mobile numbers and date of birth.
The information is thought to have been online since the breach.
“The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident,” the ISP confirmed to the BBC.
And when the BBC presented the findings to TalkTalk, the ISP added it was a genuine error and that it has since written to all impacted customers to apologise.
“The 2015 incident impacted 4 percent of TalkTalk customers and at the time, we wrote to all those impacted,” the ISP reportedly said in a statement.
“In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud,” TalkTalk said. “A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9 percent of customers received the correct notification in 2015.”
“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss,” the ISP claimed.
However, some of the victims confirmed to the BBC that they have been targetted by scams calls and in some cases attempted fraud and identity theft, all of which impacts their credit rating.
And security expert are less than impressed by the response from the ISP.
“Failure to let customers know of a data breach is similar to being kicked while you are down,” explained Jake Moore, Security Specialist at ESET.
“Losing data on this scale was an enormous error for TalkTalk which caused serious issues throughout the business, especially to their brand’s reputation,” Moore added.
“The first thing companies should do as soon as they are made aware of any cyber threat or breach of their customers’ data is to hold their hands up and make them aware,” Moore said. “They should also include advice on next steps for customers. It is becoming a given that companies could get hacked, whatever the company size.”
“However, the most important part of holding on to that reputation is being open, honest and clear about any attack from the earliest opportunity,” he added. “This latest discovery could further damage their business. If anyone has a TalkTalk account since before the 2015 breach occurred and have not changed operator, then it would be a good idea to monitor for fraudulent activity on their cards and be extra cautious of targeted phishing attacks. Never click on links in emails you are not expecting – even if they look genuine and personalised.”
Another expert said there were important lessons to be learned from the breach.
“TalkTalk is one of the biggest breaches in history and a lot of lessons can be learned from the incident, particularly regarding the clean-up,” said Shlomie Liberow, technical program manager at HackerOne.
“Of course, it is critical to gather all the information before telling customers if their data was affected and it is definitely not recommended to tell people their data was not compromised unless 100 percent certain, but when faced with an unprecedented incident like TalkTalk was back in 2015, it’s realistic that something might slip through the gaps,” said Liberow.
“Therefore, while consumers place trust in companies to keep their data secure, when they learn of a data breach of this magnitude, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected,” he added.
“In a case like this, keeping vigilant for spam and phishing emails is going to be key after such a breach and notifying your bank to be alert for any suspicious activity is also a must, as well as keeping an eye out for this activity yourself,” said Liberow. “Taking responsibility for this, regardless of how a company behaves, will empower consumers to be more secure in the long run.”
The ability of customers to know whether their data has been hacked or not was picked up by another security expert, who suggested that TalkTalk should provide those affected with ID protection.
“Today, consumers can be broken into two groups – those who know they have been hacked, and those who don’t know they’ve been hacked,” said Anjola Adeniyi, Technical Leader at Securonix.
“The latest announcement that more people were impacted by the TalkTalk breach is going to have an enormous impact on those affected, from identity theft to financial compromise, the list is endless,” said Adeniyi. “This is surely one case where an apology is not enough, and TalkTalk should offer identity theft and fraud protection to the affect customers.”
“The unfortunate reality is that if the data was accessible for this long on the dark web, the chances are it has already been accessed by unintended parties,” Adeniyi warned.
Do you know all about security? Try our quiz!