U.K.-based phone and broadband services provider TalkTalk informed customers on Thursday that their personal and financial information might have been accessed by malicious actors.
TalkTalk said it detected a “significant and sustained” attack on its systems on Wednesday, October 21. The telecoms firm is working with cybercrime experts and the Metropolitan Police’s Cyber Crime Unit to investigate the incident.
The company says it’s too early to provide information on who might be behind the attack and the methods used by the attackers. An initial analysis revealed that the attackers might have accessed names, addresses, dates of birth, email addresses, phone numbers, TalkTalk account data, credit card details, and bank account information. The company says not all data was encrypted.
TalkTalk has reported the incident to the Information Commissioner’s Office (ICO), and contacted major banks to ensure that they will monitor its customers’ accounts for suspicious activity. The company plans on offering affected individuals one year of free credit monitoring services.
The company has warned customers about the malicious activities that might emerge following the data breach, including phishing scams targeting account information and bank details, and attempts to trick users into downloading malicious software on their computers.
“TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations,” TalkTalk CEO Dido Harding said in a statement. “We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.”
Harding told the BBC that she received a ransom demand via email from someone claiming to be the hacker.
Some individuals have also published data records allegedly stolen from TalkTalk, but the company has refused to confirm or deny their validity, citing the ongoing investigation.
“There’s lots of speculation online. We can’t comment on this as it’s a live investigation; we continue to work with cyber-crime specialists and the police as they investigate the attack and any relevant information is being shared with the authorities,” a TalkTalk spokesperson told SecurityWeek.
This is the third time TalkTalk customers have been affected by a data breach in the past year. In February, the company confirmed that it had suffered a data breach in which clients’ names, phone numbers, addresses, and TalkTalk account numbers had been compromised. The breach came to light after the company noticed a spike in the number of fraud attempts aimed at its customers.
In August, 480,000 TalkTalk users were affected by a breach suffered by a division of the U.K.-based mobile phone retailer Carphone Warehouse, which provides services, among others, to TalkTalk.
Users visiting TalkTalk’s website might have ended up with malware on their computers last month after cybercriminals tricked advertising networks into pushing their malicious ads as part of a malvertising campaign that went largely undetected for three weeks. The ads reached several high-traffic websites, including the main TalkTalk site, which has over 11 million monthly visits.
"Even though TalkTalk mentions that the attack happened yesterday, there are reasons to assume that the attack has lasted longer than just the past 24 hour," Wim Remes, Strategic Services Manager EMEA for Rapid7, told SecurityWeek. "The data was released by the attackers yesterday, that is all we can derive from what we know now. There is no need to speculate how the attackers got in, what they were after, and what their motivations are."
"Attribution, in my opinion, is a zero sum game and I am confident that TalkTalk will share that information once they have connected all the dots," Remes added. "What I think is important to emphasize is TalkTalk’s very strong focus on clear communication. The CEO is the person representing the company to its stakeholders in times of distress without hiding the issues. They were breached, they are working on finding out what happened, and in the mean time here is the CEO talking clearly and without hesitation about what customers can expect from them. This is literally rule number one of incident response and one that is often forgotten once a breach happens.”
*Updated with commentary from Rapid7 and response from TalkTalk regarding the leaked data