It has been reported that tens of thousands of consumers who have entered their details on the TV Licencing website are being urged to check their bank statements for suspicious transactions following a data alert. TV Licencing has stated that from 29 August until the afternoon of 5 September 2018, some transactions carried out on the website were “not as secure as they should have been”. It is emailing 40,000 people who entered bank account and sort code details telling them to check their bank accounts for suspicious transactions and to make sure direct debits haven’t been amended.
TV Licensing spokesperson said:
“While there is no evidence that anyone’s data has been compromised, for a limited period certain transactions carried out on our website were not as secure as they should have been. This has now been fixed.
“While the risk of anyone having seen any of this data is low, because we take data security seriously we’ve written to people who may have sent their bank details to our website during this period to alert them and advise them to speak to their bank if they see any unusual activity. The issue did not affect credit or debit card details which were encrypted throughout.
“We’re really sorry this happened but want to reassure customers that the risk is low and we’ve taken action to ensure it doesn’t happen again. There is no evidence of any attack and we’ve found no evidence of any unauthorised access to information.”
Dan Pitman, Senior Solutions Architect at Alert Logic:
“From TV Licencing’s statements if you payed immediately via card or other online payment you were safe, bank details would have been entered onto the site by people setting up direct debits at which point the setup information to be processed by the bank may have been changed. It would be prudent to cancel any direct debits and call TV Licensing to setup a new one.
Where financial information combined with emails or other identifying factors are leaked it will enable criminals to put together different sets of data, potentially combining known passwords or personal details with that financial data.
This attack seems similar to the British Airways one (TV Licensing spokesperson confirmed to us that this statement is not correct, as there was no attack), most likely a system or systems were compromised and a command and control application was deployed that allowed the attacker to scrape memory or the site itself was compromised in same way. In this case visitors who want to make on-line payments are immediately moved to completely different website before any details are taken so card details would not have been in memory on TVLicensing’s servers.”
Ryan Wilk, VP of Customer Success at NuData Security:
“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards. Credit card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans, and much more. Every hack has a snowball effect that far outlasts the initial breach.
All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all customer data, but more importantly, we need to make it valueless.Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless. The balance of power will return to customer protection when more companies implement such techniques and technology.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.