TalkTalk 'fesses up to MEGA data breach

Noticed an increase in scamming late last year


TalkTalk has admitted to a major breach of sensitive user information, which may have led to some customers handing over bank data to hackers.

In an email to subscribers, the company said it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year.

The budget telco said that – following an investigation – some of its subscriber information, such as names, addresses, phone and account numbers, could have been illegally accessed, with scammers quoting these details to customers.

Consequently, a small number may have revealed more in-depth information, such as bank details. In some of these cases we know they may be using the information they have illegally obtained, the telecoms and services provider said.

It added:

At TalkTalk we take our customers' security very seriously and we take numerous measures to help keep our customers safe. Yet sadly in every sector, criminal organisations using phone and email scams are on the rise.

As part of our ongoing approach to security we continually test our systems and processes ... following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures.

We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.

We want to reassure customers that no sensitive information, such as bank account details, has been illegally accessed, and TalkTalk Business customers are not affected.

The company said it was liaising with UK data watchdog the Information Commissioner's Office and was writing to all of its customers to offer advice about the criminal activity.

An ICO spokesperson said: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.” ®


Other stories you might like

  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading

Biting the hand that feeds IT © 1998–2022