The hack of British telecoms operator TalkTalk has been a huge talking point up and down the country, even amongst those who normally don’t follow computer security news.
The reason? The company is a well-known brand, sponsoring ITV’s “The X Factor”, and has over four million customers using its mobile phone and broadband service.
Possibly many members of the public thought, “If it can happen to TalkTalk, it can happen to anyone.”
TalkTalk’s CEO Dido Harding took to the airwaves, appearing on many news bulletins to reassure customers that they were taking the problem seriously, admitting that they were finding it difficult to answer questions about who had been affected, and whether sensitive data had been encrypted or not.
In an updated statement issued today, however, TalkTalk offered some more details:
- The total number of customers whose personal details were accessed is 156,959;
- Of these customers, 15,656 bank account numbers and sort codes were accessed;
- The 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were ‘orphaned’, meaning that customers cannot be identified by the stolen data.
Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only 4% of TalkTalk customers have any sensitive personal data at risk. However, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails.
Reading TalkTalk’s statement I find it hard to feel that they aren’t trying to put a positive “spin” on things – they claim “only 4%” of customers were affected, and play down the risks posed by some of the stolen data.
Frankly, TalkTalk isn’t in a great position to underline the positive here. You get the clear feeling that if it was 4% rather than 74% of customers affected that was more by good fortune, rather than because of security measures which they had in place.
The one number that perhaps TalkTalk customers would be wise to remember is that this is the third time that the telecoms company has suffered a data breach in a year. The fact that this latest attack appears to have been orchestrated through an easy-to-deflect SQL injection attack compounds the embarrassment for the company.
The truth is that even if the data taken from TalkTalk’s database isn’t in itself enough to commit identity theft, it can be used by criminals to help them steal more information (there are already many reports of TalkTalk customers being contacted by scammers via the telephone, pretending to be calling from the real company).
Every piece of information an identity thief manages to steal about you is another piece of the jigsaw.
As a sidenote, it shouldn’t be forgotten that in 2008, Top Gear TV star Jeremy Clarkson famously published his bank account number and sort code in a newspaper column rubbishing people’s concerns about identity theft, and invited readers to attempt to steal money from his account. Within days he admitted his mistake, after someone used the information to create a £500 direct debit to a charity.
If you are one of the poor unfortunate customers to have had their details stolen in one of these attacks, and in some cases lost thousands of pounds, my guess is that you are unlikely to receive much comfort from TalkTalk describing it as “only 4%”.
by Graham Cluley, ESET We Live Security