TalkTalk chief executive Dido Harding has confirmed that she received a ransom note from the hackers responsible for a “significant and sustained” cyber attack against the mobile firm that has put four million customers’ records at risk.
“It is hard for me to give you very much detail but, yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker,” Harding told the BBC.
“All I can say is that I had personally received a contact from someone purporting – as I say I don’t know whether they are or are not – to be the hacker looking for money.”
The sensitive data stolen from TalkTalk includes names, addresses, dates of birth, email addresses and credit card details. TalkTalk confirmed that the details of former customers are also likely to have been compromised.
A Russian Islamist group claimed responsibility for the attack, which is the third such incident this year at the firm, and email data has already started to appear on Pastebin, a popular text-based submission platform, but the validity of this data has yet to be verified.
TalkTalk has since admitted that encryption was not applied to all customer details. “Not all of the data was encrypted. We constantly review and update our systems to make sure they are as secure as possible,” said the firm in an online FAQ.
Tristia Harrison, managing director of the consumer division at TalkTalk, said: “We are taking all the necessary steps to understand this incident and to protect [customers] as best we can against similar attacks in future.”
The Information Commissioner’s Office told V3: “The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the police.”
David Emm, principal security researcher at Kaspersky Lab, highlighted the lack of encryption as a sign of lax security practices.
“It is alarming if any data is not encrypted as it effectively hands over personal information to the attackers. Although Dido Harding is right that the organisation is not alone, this is not the first time such an attack has affected its customers,” he said.
“TalkTalk hasn’t yet been able to quantify the scale of the breach, but any loss of data is a matter for serious concern for customers and I believe that such repeated leaks of data represent a breach of trust.
“I would recommend that all TalkTalk customers take the opportunity to change their passwords.”
Luke Brown, vice president and general manager at Digital Guardian, suggested that this latest breach could be the last straw for TalkTalk customers.
“They say bad news comes in threes and that certainly seems to be the case for TalkTalk over the past nine months. In the wake of two prior breaches, it’s hard to see TalkTalk’s customers giving it any more chances,” he said.
“With over 90 percent of the population owning a mobile phone, it’s easy to see why they are becoming an increasingly attractive target for hackers. The big question is, what are [the operators] doing about it? In TalkTalk’s case, it appears the answer is far too little.”
TalkTalk is advising customers to check their credit reports with three monitoring agencies – Call Credit, Experian and Equifax – despite the fact that Experian suffered a major data breach earlier this year that resulted in the exposure of up to 15 million T-Mobile customer records.
The Metropolitan Police Cyber Crime Unit has confirmed that it is launching a criminal investigation following the TalkTalk attack, which reportedly took place on 21 October.