BBC has reported that the 2015 data breach suffered by TalkTalk, that compromised the personal information of 156,959 customers and cost the company up to £35 million to remediate its impact, also impacted a further 4,545 customers who were not informed by the company about the loss of their personal and financial information.
In November last year, two young British hackers named Matthew Hanley and Connor Allsopp were jailed for twelve months and eight months respectively for carrying out a cyber attack on TalkTalk and stealing personal data of as many as 157,000 TalkTalk subscribers.
The cyber attack on the telecom company affected up to 157,000 subscribers, resulted in the loss of more than 15,000 bank account numbers, and cost TalkTalk between £40 million and £45 million as well as a total of 101,000 customers in the third quarter of 2015.
TalkTalk didn't secure a database that contained customer records
A year after the attacks took place, the Information Commissioner's Office issued a record £400,000 fine to TalkTalk "for security failings that allowed a cyber attacker to access customer data 'with ease'”.
The ICO noted that TalkTalk failed to properly identify a database containing customer records that featured inherent vulnerabilities and the same was infiltrated by hackers using SQL injection, resulting in a massive breach of customer records.
"TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action," said Elizabeth Denham, the Information Commissioner.
According to BBC, in addition to the 157,000 subscribers whose personal and financial information were accessed by hackers, a further 4,545 TalkTalk subscribers were also affected by the cyber attack but were not informed by the company about the breach of their personal records.
A large number of existing and former TalkTalk subscribers contacted BBC Watchdog Live to inform about their concerns that their personal and financial data could have been breached by the telecom company. Following a Google search, BBC confirmed that full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details of approximately 4,500 customers were available online.
TalkTalk admits to not informing 4,545 customers about breached records
TalkTalk admitted that the details accessed by BBC pertained to the massive breach it suffered in 2015 as a result of hackers targeting its online systems. "The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident," TalkTalk said.
"The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted. In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.
"A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss," the company added.
"The latest announcement that more people were impacted by the TalkTalk breach is going to have an enormous impact on those affected, from identity theft to financial compromise, the list is endless. This is surely one case where an apology is not enough, and TalkTalk should offer identity theft and fraud protection to the affect customers. The unfortunate reality is that if the data was accessible for this long on the dark web, the chances are it has already been accessed by unintended parties," says Anjola Adeniyi, Technical Leader at Securonix.
According to Shlomie Liberow, technical program manager at HackerOne, while it is critical to gather all the information before telling customers if their data was affected and it is definitely not recommended to tell people their data was not compromised unless 100% certain, but when faced with an unprecedented incident like TalkTalk was back in 2015, it’s realistic that something might slip through the gaps.
"Therefore, while consumers place trust in companies to keep their data secure, when they learn of a data breach of this magnitude, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected.
"In a case like this, keeping vigilant for spam and phishing emails is going to be key after such a breach and notifying your bank to be alert for any suspicious activity is also a must, as well as keeping an eye out for this activity yourself. Taking responsibility for this, regardless of how a company behaves, will empower consumers to be more secure in the long run," Liberow adds.