TalkTalk urges 'vigilance' following breach


TALKTALK have warned their more than four million customers to be extra vigilant after admitting a security breach resulting in the theft of customer details late last year.

The ISP has been keen to reassure customers that no "sensitive" information such as bank or credit card details has been stolen.

But the names, account numbers, addresses and phone numbers of thousands of customers were all lifted in the incident.

That's enough for the thieves to have posed as TalkTalk employees and attempt to con customers into passing on their bank details or installing malicious software to do the job for them.

Complaints up

Customers began complaining to TalkTalk between October and December 2014, saying they'd received phone calls from people claiming to be from the provider.

In some cases customers were told their computers were either infected with a virus, or at risk of being infected, and that they needed to download certain software to check whether they'd been affected.

People who challenged the callers say they were given their account numbers and other restricted information as proof they were being contacted by genuine TalkTalk employees.

TalkTalk say it was this increase in complaints that lead them to start investigating, and it took until the end of February for them to publicly confirm a breach had happened.

They say it appears to have happened while a third party supplier had legitimate access to the customer database, and that they're suing that supplier.

In the meantime, some of their customers have been defrauded out of hundreds, even thousands of pounds.

TalkTalk have set up a dedicated phone line for customers who have been contacted or targeted by the scammers, accessible by calling either 0800 083 2710 or 0141 230 0707.

In addition, they've updated all emails to customers to include the reminder that they will never ask them over the phone to reveal their full password, or give bank or card details.

Neither will they tell customers over the phone they need to download any software unless it's been pre-arranged by the customer - including arranging a time for the call-back.

On top of TalkTalk's efforts, Ofcom are advising those who think they may have been contacted or defrauded to tell Action Fraud.

talktalk phone scams warning



Despite the growing awareness of online fraud, phone scams - known as "vishing" - seem to be enjoying something of a resurgence.

Research carried out by Financial Fraud Action UK (FFAUK) suggest that 58% of people received at least one suspect call in the period between August 2013 and August 2014, compared to 41% in the year before.

And as the number of calls increases, so too does the amount of money lost to phone scammers - up £7 million to £23.9 million.

But at least the research showed that 75% of people made an effort to challenge suspect callers - although more than a third said they found it difficult to tell the difference between genuine and fraudulent requests for information.

And the same technology that's making it difficult for telecom companies to crack down on nuisance callers is making it more difficult for people to tell if the number flashing up on their caller display is genuine.

"Number spoofing" - cloning the contact details of trusted organisations like banks, media providers and even authorities like police stations and council offices - has really taken off in the past year, according to FFAUK.

Ironically, TalkTalk are known for their industry-leading HomeSafe, WorkSafe and SuperSafe router-level security software, which protects customers from online threats and undesirable content.

Meanwhile in 2012, TalkTalk Business highlighted the importance of online security for their business customers, citing research from Symantec showing it cost companies £79 per record breach - an increase of 68% since 2007.

That report said "negligence is still the main cause of problems, with employee or contractor mistakes accounting for more than a third (36%) of the reported issues".

What next?

The breach means TalkTalk could be liable to a fine for failing to secure personal information under the Data Protection Act.

All British companies have to conform to the principles set out in the Act, even if the data they're handling is stored or processed overseas - as is the case with TalkTalk's India-based customer service operation.

More on TalkTalk
TalkTalk broadband
TalkTalk Youview TV

The regulator charged with deciding any punishment for TalkTalk is the Information Commissioner's Office (ICO), which has the power to fine companies up to £500,000.

They recently levied a £175,000 fine on online holiday insurance company, after hackers stole customer records and used them to defraud more than 5,000 people.

Staysure's fine reflected the number of customers affected, as well as the fact that they'd kept information that should never have been stored, such as the CVV security number on the back of bank and credit cards.

As well as taking into account how many people have been affected, and the outcome of the ISP's own investigation into the incident, the ICO will consider how TalkTalk dealt with it in the early stages.

That could be crucial for TalkTalk, as one of the criticisms levelled at them was how long it took for them to admit something had happened.

Proposed changes to EU data laws could mean that in the future, any company suspecting a data breach may have to tell the ICO within 24 hours.

In the meantime, the advice is to be extra vigilant, and if in any doubt, hang up.

Please read our full disclaimer for important information that relates to the service we provide and your use of this site.

We aim to provide free reviews and comparisons of consumer products and to keep our editorial content as objective as possible. To keep the site free, we are paid by some providers when new customers take products after they've clicked on our links. We don't allow our editorial content to be affected by those links, however we may not include all of the products available in the market. Finally, we do not submit or process any applications for any products or services and we cannot guarantee that any product or service listed on this website will be available to you. Credit providers make the final decision on whether an application for credit will be accepted.

If you would like to get in touch with us you can contact us here.