Almost three months after rumours of a data breach at TalkTalk first emerged in support forums, the firm has finally admitted that sometime last year criminals got hold of enough personal data to launch convincing phone fraud attacks on an unknown number of its customers.
The exact number of records affected isn’t stated by TalkTalk, either because it still doesn’t know or wont’ say (see below for update). Presumably, the number must be a sigificant portion of its four million database. The data affected includes names, home addresses, phone numbers and TalkTalk account numbers, so this is as serious as a data breach can get from the point of view of the customer.
The company’s blog is a predictable attempt to shift responsibility for what has happened away from itself. The breach happened inside an unnamed third party (probably an Indian call centre), no financial data was taken and after all these things happen from time to time don’t they?
Once you fight your way past this unctuous corporate waffle, a few things should be stated clearly.
- The fact that financial data was not taken is only half the story. Personal data is just as valuable to its owners and in unlike credit card data can’t be changed. Criminals now know the names and addresses of a sizable number of customers and that might have repercussions down the line.
- The fact it occurred at a third party partner is irrelevant. As far as customers were concerned their relationship was with TalkTalk and it was that firm’s job to protect them and to check out anyone contracted to handle sensitive personal data.
- Why did it take TalkTalk so long to tell the world about such a serious data breach? TalkTalk says it has informed that Information Commissioner (ICO) as if that matters months on from the first reports that there was an issue. This is a badge of shame not a badge of honour.
- TalkTalk says that “Financial Fraud Action UK estimates that as many as 58 percent of people have received suspect calls about their banking details,” which might be true but is beside the point. A small percentage of those occur because of a data breach and are more often based on social engineering. It’s as if TalkTalk wants to play down the seriousness of what has happened by making it sound routine.
- The company should be clear about how many people are at risk and make sure it contacts every single one of them.
If the ICO investigation finds TalkTalk was at fault it will doubtless issue the sort of fine that large companies laugh at long after most people have forgotten the original facts. The only real sanction is embarrassment.
“The walking dead, they are coming,” says a new TalkTalk Twitter plug for a forthcoming US TV show without a trace of irony. With customers reportedly being phoned up by phone scammers, that sounds pretty much spot on.
Update: TalkTalk contacted Techworld with the following statement:
"At the end of last year, we saw an increase in malicious scammers preying on our customers. In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number as well as their phone number."
A "few thousand" customers had been contacted by scammers but it was taking the precaution of contacting all four million in its database regarding the matter. The firm had supported any customers affected by the fraud, it said.