[BreachExchange] TalkTalk Overlooked Nearly 5000 Customers in Breach Notification
Destry Winant
destry at riskbasedsecurity.com
Fri May 24 09:10:53 EDT 2019
https://www.infosecurity-magazine.com/news/talktalk-overlooked-5000-breach-1-1/
A mishandled 2015 data breach continues to hound TalkTalk after it
emerged that the UK telco failed to notify nearly 5000 customers that
had been affected.
After being contacted by viewers who suspected their details had been
stolen via the telco, consumer rights program Watchdog Live
investigated.
It subsequently found their full names, addresses, email addresses,
dates of birth, TalkTalk customer numbers, mobile numbers and bank
details available via a simple Google search.
“A recent investigation has shown that 4545 customers may have
received the wrong notification regarding this incident. This was a
genuine error and we have since written to all those impacted to
apologize — 99.9% of customers received the correct notification in
2015,” the firm told the BBC in a statement.
“On their own, none of the details accessed in the 2015 incident could
lead to any direct financial loss.”
The latter may be technically true, but it gaslights the issue
somewhat, as fraudsters are more than capable of using such details to
impersonate their victims in order to elicit more information which
could be monetized.
Affected customers told the show they have been the victim of frequent
scam calls, while some have suffered attempted identity fraud which
has impacted their credit rating.
The original incident involved the compromise of 157,000 customers,
including bank account numbers and sort codes for over 15,000 of them.
It led to a £400,000 fine from regulator the ICO after it was found
that attackers had exploited a simple SQL injection flaw in web pages
that TalkTalk didn’t even know existed.
The firm was also widely criticized for its incident response, sending
out confusing messages via a CEO not in possession of all the facts.
TalkTalk’s profits halved following the incident, with the firm paying
£42m to cover incident response, external consulting and increasing
call volumes as a result of a breach.
More information about the BreachExchange
mailing list