In the wake of the third, “significant and sustained” cyber attack on a FTSE 250-listed UK company on Wednesday 21st October, TalkTalk is advising all of its 4 million subscribers that their personal data (including names, addresses, dates of birth, phone numbers, emails PLUS acount information, credit card and banking details) may have been breached. The company is offering 1 year’s free credit monitoring for this latest breach, but it has not been a good period to have this toxic trading name. TalkTalk suffered a sophisticated email scam in February 2015 which they claim was due to a third party contractor who had legitimate access to its customers’ data and in December 2014, the Guardian reported a possible data breach emanating from one of its Indian call centres, leaving some customers out of pocket by several thousand pounds and their banks offloading responsibility claiming the victims caused their losses by allowing the fraudsters illegal access through nefarious means.
The Information Commissioner’s Officer (ICO) started investigations into the hacking of Carphone Warehouse (owned by Dixons Carphone plc) in August affecting 2.4 million users and earlier this month, credit rating agency, Experian PLC’s North American unit was subject to a breach comprising the data of clients of US mobile carrier T-mobile USA Inc, affecting 15 million US customers and with reports of cyber offences reaching over 625,000 every month this Summer.
The Metropolitan Police Cyber Crime Unit has launched its investigation into the TalkTalk attack on its website. Whilst TalkTalk’s CEO Dido Harding has confirmed that its website is now secure again and that TV, broadband, mobile and phone services have not been affected by the attack, its sales website and “My Account” bill checking services site have yet to be restored. TalkTalk’s assurances about the seeming normality of service provision offers little comfort to its concerned customer base, few of whom will be surprised to hear the corporate has lost 10% in its share price within 24 hours of the bad news. Claims have emerged today on BBC Radio 4’s Today programme that a Russian Islamist group had posted online that they were responsible for the attack. This is being investigated by the authorities, though TalkTalk are currently refusing to comment on this.
So where does this leave TalkTalk customers?
• Anyone who is victim of a cyber attack should maintain diligent monitoring of their bank and credit cards over several months to spot any suspicious transactions. It may not necessarily be sudden and dramatic large scale financial losses that occur; there is an emerging trend for small scale withdrawals following hacks, far less eye-catching to the unwary consumer, but necrotic and damaging over the long term as part of a sustained syphoning of funds.
• Customers may be contacted by new 3rd party fraudsters, cashing in on the TalkTalk attack and contacting their already vulnerable customer base to gain access to their accounts, purporting to be TalkTalk staff trying to fix things. No real TalkTalk staff would demand direct account details over the phone – and this should set alarm bells ringing.
Cyber Precautions for Enterprise
For any company, it is imperative to have good process and policy safeguards with up to date malware and antivirus software installed, to wrap around the company’s data, users and applications. However, in addition to this, commodity-based companies using the web to transact with the public and taking personal details and financial information, would be well advised to consider separating out the hosting of their website on a separate server to the main business server – and even having two different companies supplying this service to offer added security and peace of mind. This would increase resilience, but of course is only step one for the data controller, step two is ensuring that the data is compliant ahead of the EU’s General Data Protection Regulation (GPDR) which comes into force in 2017.