TalkTalk, a telecommunications and broadband company serving 4.2 million customers in th UK, confirmed this week that it has suffered a data breach, which exposed names, phone numbers, addressees and account numbers of its customers.
The company, which provides fixed line broadband, voice telephony, television and mobile services to consumers and businesses in the UK, confirmed reports that the breach originated from a third party contractor which had legitimate access to its customer accounts. The data has now apparently fallen into the hands of fraudsters who are targeting individuals with personalized scams.
The company has taken legal action against the supplier and told SecurityWeek that “proceedings are ongoing.”
TalkTalk did not name the supplier in question, but UK newspaper The Guardian reported in December that a possible data breach may have emerged from one of its Indian call centers, which now appears to be the case.
“At the end of last year, we saw an increase in malicious scammers preying on our customers,” a TalkTalk spokesperson told SecurityWeek. “In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number as well as their phone number.”
After conducting an investigation, the company discovered that information about some customers had, in fact, been illegally accessed in violation of TalkTalk’s security procedures.
“We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly,” the spokesperson said.
Bank account details did not appear to be illegally accessed, and the company said that its TalkTalk Business customers were not affected.
The Guardian reported on Friday that one TalkTalk customer was taken for £2,800 by a scammer, and that his bank (Santander) refused to compensate him for the losses.
“This is yet another reminder that a business is only as secure as the weakest link in its supply chain,” Andrew Avanessian, EVP of consultancy and technology services at Avecto, told SecurityWeek. “It is a matter of access in this case. There are still too many businesses giving third parties unnecessary access to their corporate systems, and determined attackers will use these suppliers to gain an initial foothold in the target system. Companies need to be more savvy and proactive when it comes to the supply chain.”
Attackers often exploit employees and customers with social engineering campaigns, and Avanessian warned that businesses should be ready for such attacks.
“Businesses should limit their exposure to this risk by adopting a least privilege approach to user access,” he said. “Businesses should prepare for when they are targeted, not if, and taking control of who has access to what is the obvious starting place.”
Avanessian advised that customers should also remain vigilant against such attacks and not engage in unsolicited contact that requests personal of financial information. “If they are unsure of what they are being asked they should hang up and make a call back to the company’s official number, thus confirming authenticity.”