Security Experts:

TalkTalk Downplays Data Breach

The recent data breach has not affected core systems and the exposed financial data cannot be used to steal money from customer accounts, U.K.-based phone and broadband services provider TalkTalk said on Sunday.

TalkTalk reported on Thursday that it detected a “significant and sustained” attack on its systems the previous day. The company is investigating the incident in collaboration with the Metropolitan Police’s Cyber Crime Unit and cybercrime experts.

The British telecoms company noted that while the investigation is ongoing, the attackers might have accessed customer names, addresses, dates of birth, email addresses, phone numbers, TalkTalk account data, credit and debit card information, and bank details.

In an update provided on Sunday, TalkTalk clarified that the cyberattack targeted the company’s website, not its core systems. Furthemore, the company says the attackers have not accessed TalkTalk My Account passwords, although users are advised to change them as a precaution.

As far as financial information is concerned, the company says its website does not store complete payment card details. More precisely, credit and debit card numbers possibly accessed by the cybercriminals have six middle digits blanked out, which makes them useless for financial transactions.

“We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account,” TalkTalk said.

Several individuals and groups have taken credit for the attack on TalkTalk. One of them even attempted to blackmail the company, asking roughly $122,000 in Bitcoin to prevent stolen customer data from being leaked.

According to cybercrime blogger Brian Krebs, the extortionists demonstrated that they are behind the breach by providing information from a database storing the details of 400,000 individuals who recently underwent credit checks for new service with TalkTalk.

Krebs also reported that a reputable seller announced his intention to offer the data on a Deep Web black market website called AlphaBay.

“There’s lots of speculation online. We can’t comment on this as it’s a live investigation; we continue to work with cyber-crime specialists and the police as they investigate the attack and any relevant information is being shared with the authorities,” a TalkTalk spokesperson told SecurityWeek on Friday regarding the groups that claim to possess stolen data.

Krebs learned from his sources that the hackers leveraged a SQL injection vulnerability to gain access to user data. The distributed denial-of-service (DDoS) attack that disrupted TalkTalk’s website at around the time of the breach is believed to have served as a smokescreen for other malicious activities.

“More frequently exfiltration of personal data comes on the heels of a DDoS attack, as this activity can be used to map or profile a network’s existing security defenses, pinpointing holes in security or vulnerabilities to exploit. An onslaught of DDoS attack activity follows, distracting IT personnel, overwhelming data logging tools and masking other nefarious attack attempts,” Dave Larson, CTO at Corero Network Security, told SecurityWeek. “The modern DDoS attack has become more than just a threat or impact to availability, it has evolved to a security implication.”

This is the third time TalkTalk customers have been affected by a data breach over the past year. One of the incidents affected TalkTalk directly, while the second impacted Carphone Warehouse, a company that provides services to the telecoms firm.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.