It has been reported that TalkTalk failed to inform some 4500 people that their data was compromised in the 2015 breach. Viewers contacted BBC Watchdog Live about concerns that their details had been breached by TalkTalk. But the company had told them that their details were not compromised. The BBC consumer show investigated and found the personal details of approximately 4,500 customers available online after a Google search. The details included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details for thousands of customers. The information is likely to have been online since the breach, without the knowledge of the people affected.
Experts Comments:
Anjola Adeniyi, Technical Leader at Securonix:
“Today, consumers can be broken into two groups – those who know they have been hacked, and those who don’t know they’ve been hacked.
The latest announcement that more people were impacted by the TalkTalk breach is going to have an enormous impact on those affected, from identity theft to financial compromise, the list is endless. This is surely one case where an apology is not enough, and TalkTalk should offer identity theft and fraud protection to the affect customers.
The unfortunate reality is that if the data was accessible for this long on the dark web, the chances are it has already been accessed by unintended parties.”
Shlomie Liberow, Technical Program Manager at HackerOne:
“TalkTalk is one of the biggest breaches in history and a lot of lessons can be learned from the incident, particularly regarding the clean-up.
Of course, it is critical to gather all the information before telling customers if their data was affected and it is definitely not recommended to tell people their data was not compromised unless 100% certain, but when faced with an unprecedented incident like TalkTalk was back in 2015, it’s realistic that something might slip through the gaps.
Therefore, while consumers place trust in companies to keep their data secure, when they learn of a data breach of this magnitude, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected.
In a case like this, keeping vigilant for spam and phishing emails is going to be key after such a breach and notifying your bank to be alert for any suspicious activity is also a must, as well as keeping an eye out for this activity yourself. Taking responsibility for this, regardless of how a company behaves, will empower consumers to be more secure in the long run. “
Jake Moore, Security Specialist at ESET:
“Failure to let customers know of a data breach is similar to being kicked while you are down. Losing data on this scale was an enormous error for TalkTalk which caused serious issues throughout the business, especially to their brand’s reputation.
The first thing companies should do as soon as they are made aware of any cyber threat or breach of their customers’ data is to hold their hands up and make them aware. They should also include advice on next steps for customers. It is becoming a given that companies could get hacked, whatever the company size.
However, the most important part of holding on to that reputation is being open, honest and clear about any attack from the earliest opportunity. This latest discovery could further damage their business. If anyone has a TalkTalk account since before the 2015 breach occurred and have not changed operator, then it would be a good idea to monitor for fraudulent activity on their cards and be extra cautious of targeted phishing attacks. Never click on links in emails you are not expecting – even if they look genuine and personalised.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.