TalkTalk urges 'vigilance' following breach

Credit: Piotr Swat/Shutterstock.com

The ISP has been keen to reassure customers that no "sensitive" information such as bank or credit card details has been stolen.

But the names, account numbers, addresses and phone numbers of thousands of customers were all lifted in the incident.

That's enough for the thieves to have posed as TalkTalk employees and attempt to con customers into passing on their bank details or installing malicious software to do the job for them.

Complaints up

Customers began complaining to TalkTalk between October and December 2014, saying they'd received phone calls from people claiming to be from the provider.

In some cases customers were told their computers were either infected with a virus, or at risk of being infected, and that they needed to download certain software to check whether they'd been affected.

People who challenged the callers say they were given their account numbers and other restricted information as proof they were being contacted by genuine TalkTalk employees.

TalkTalk say it was this increase in complaints that lead them to start investigating, and it took until the end of February for them to publicly confirm a breach had happened.

They say it appears to have happened while a third party supplier had legitimate access to the customer database, and that they're suing that supplier.

In the meantime, some of their customers have been defrauded out of hundreds, even thousands of pounds.

TalkTalk have set up a dedicated phone line for customers who have been contacted or targeted by the scammers, accessible by calling either 0800 083 2710 or 0141 230 0707.

In addition, they've updated all emails to customers to include the reminder that they will never ask them over the phone to reveal their full password, or give bank or card details.

Neither will they tell customers over the phone they need to download any software unless it's been pre-arranged by the customer - including arranging a time for the call-back.

On top of TalkTalk's efforts, Ofcom are advising those who think they may have been contacted or defrauded to tell Action Fraud.

SOURCE: TalkTalk.co.uk

"Vishing"

Despite the growing awareness of online fraud, phone scams - known as "vishing" - seem to be enjoying something of a resurgence.

Research carried out by Financial Fraud Action UK (FFAUK) suggest that 58% of people received at least one suspect call in the period between August 2013 and August 2014, compared to 41% in the year before.

And as the number of calls increases, so too does the amount of money lost to phone scammers - up £7 million to £23.9 million.

But at least the research showed that 75% of people made an effort to challenge suspect callers - although more than a third said they found it difficult to tell the difference between genuine and fraudulent requests for information.

And the same technology that's making it difficult for telecom companies to crack down on nuisance callers is making it more difficult for people to tell if the number flashing up on their caller display is genuine.

"Number spoofing" - cloning the contact details of trusted organisations like banks, media providers and even authorities like police stations and council offices - has really taken off in the past year, according to FFAUK.

Ironically, TalkTalk are known for their industry-leading HomeSafe, WorkSafe and SuperSafe router-level security software, which protects customers from online threats and undesirable content.

Meanwhile in 2012, TalkTalk Business highlighted the importance of online security for their business customers, citing research from Symantec showing it cost companies £79 per record breach - an increase of 68% since 2007.

That report said "negligence is still the main cause of problems, with employee or contractor mistakes accounting for more than a third (36%) of the reported issues".

What next?

The breach means TalkTalk could be liable to a fine for failing to secure personal information under the Data Protection Act.

All British companies have to conform to the principles set out in the Act, even if the data they're handling is stored or processed overseas - as is the case with TalkTalk's India-based customer service operation.

The regulator charged with deciding any punishment for TalkTalk is the Information Commissioner's Office (ICO), which has the power to fine companies up to £500,000.

They recently levied a £175,000 fine on online holiday insurance company Staysure.co.uk, after hackers stole customer records and used them to defraud more than 5,000 people.

Staysure's fine reflected the number of customers affected, as well as the fact that they'd kept information that should never have been stored, such as the CVV security number on the back of bank and credit cards.

As well as taking into account how many people have been affected, and the outcome of the ISP's own investigation into the incident, the ICO will consider how TalkTalk dealt with it in the early stages.

That could be crucial for TalkTalk, as one of the criticisms levelled at them was how long it took for them to admit something had happened.

Proposed changes to EU data laws could mean that in the future, any company suspecting a data breach may have to tell the ICO within 24 hours.

In the meantime, the advice is to be extra vigilant, and if in any doubt, hang up.