Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Fraudsters Target TalkTalk Customers After Data Breach

TalkTalk, a telecommunications and broadband company serving 4.2 million customers in th UK, confirmed this week that it has suffered a data breach, which exposed names, phone numbers, addressees and account numbers of its customers.

TalkTalk, a telecommunications and broadband company serving 4.2 million customers in th UK, confirmed this week that it has suffered a data breach, which exposed names, phone numbers, addressees and account numbers of its customers.

The company, which provides fixed line broadband, voice telephony, television and mobile services to consumers and businesses in the UK, confirmed reports that the breach originated from a third party contractor which had legitimate access to its customer accounts. The data has now apparently fallen into the hands of fraudsters who are targeting individuals with personalized scams.

The company has taken legal action against the supplier and told SecurityWeek that “proceedings are ongoing.”

TalkTalk did not name the supplier in question, but UK newspaper The Guardian reported in December that a possible data breach may have emerged from one of its Indian call centers, which now appears to be the case.

“At the end of last year, we saw an increase in malicious scammers preying on our customers,” a TalkTalk spokesperson told SecurityWeek. “In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number as well as their phone number.”

After conducting an investigation, the company discovered that information about some customers had, in fact, been illegally accessed in violation of TalkTalk’s security procedures.

“We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly,” the spokesperson said.

Bank account details did not appear to be illegally accessed, and the company said that its TalkTalk Business customers were not affected.

The Guardian reported on Friday that one TalkTalk customer was taken for £2,800 by a scammer, and that his bank (Santander) refused to compensate him for the losses. 

“This is yet another reminder that a business is only as secure as the weakest link in its supply chain,” Andrew Avanessian, EVP of consultancy and technology services at Avecto, told SecurityWeek. “It is a matter of access in this case. There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in the target system. Companies need to be more savvy and proactive when it comes to the supply chain.”

Attackers often exploit employees and customers with social engineering campaigns, and Avanessian warned that businesses should be ready for such attacks.

“Businesses should limit their exposure to this risk by adopting a least privilege approach to user access,” he said. “Businesses should prepare for when they are targeted, not if, and taking control of who has access to what is the obvious starting place.”

Avanessian advised that customers should also remain vigilant against such attacks and not engage in unsolicited contact that requests personal of financial information. “If they are unsure of what they are being asked they should hang up and make a call back to the company’s official number, thus confirming authenticity.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.