TalkTalk has suffered a “significant and sustained” cyber-attack in which the personal and financial data of its four million customers could have been compromised. The details are as yet unconfirmed, but TalkTalk says it does not even know if it’s data was encrypted — a bad sign.
So what does it mean for TalkTalk customers? How can you prevent yourself from identity theft, and what should TalkTalk be doing? We’ve put together a guide for what to do if you think your data could be compromised.
TalkTalk’s customer database was attacked in a move that could leave the data of four million people compromised — meaning it is now in the hands of the attackers. The hackers have since issued a ransom demand asking the TalkTalk chief executive for money, presumably in return for the data.
“If you’re a cyber-criminal the days of stealing data and then selling it for cash in the dark web — they’re not so profitable as they used to be,” Dido Harding, TalkTalk chief executive, told the BBC.
The customer data that may have been accessed includes:
- Date of birth
- Telephone number
- TalkTalk account information
- Credit card details
- Bank account details
Was my data encrypted?
The short answer is probably not. On its website, TalkTalk has said “not all of the data was encrypted.” And Harding was unable to provide any further details.
“I would love to be able to give you that complete and unequivocal assurance,” said Harding. “But it would be wrong of me to give you that today, when the amount of data that these criminals have had access to is very large.”
What risks do I face as a TalkTalk customer?
If your data has indeed been breached, you could be at risk of identity theft, phishing attacks, scam phone calls, and any accounts that use the same password could also be easily accessed.
What can I do if I think my data was hacked?
Protect yourself financially
In the immediate term, TalkTalk customers should protect themselves financially. Contact your bank or credit card company, and warn them that your data may have been breached so that they can lookout for any suspicious activity from your account.
TalkTalk has also contacted the major banks and is offering a year’s free credit monitoring for all its customers.
Keep an eye on activity yourself over the next few months and alert the bank, or Action Fraud — the UK’s fraud reporting centre — if you see anything suspicious.
Protect yourself online
Change passwords to your online accounts. Now — and into the future — it is wise to change your passwords regularly and try not to use the same one more than once.
It can be hard to remember numerous different passwords, but there are tools available online that can help. Password managers like 1Password, Last Pass and Dashlane can be easy ways to keep a handle on different passwords — but we can’t vouch for their complete safety.
TalkTalk has said its “MyAccount” page is still down — but once it’s back online users should change their passwords.
Also look out for phishing emails — never reply to an unsolicited email with your login and account details or your password. Don’t click on any links in suspicious-looking emails either — they could download malware or viruses onto your computer.
Protecting your personal information
Be aware of protecting your data offline. If the data breach includes phone numbers you could receive calls asking for further personal information. Don’t give out any bank details or passwords over the phone. And if anything seems at odds: hang up.
What should TalkTalk be doing?
TalkTalk needs to bolster its cybersecurity. This is the third data breach against the company in the last year — in August TalkTalk customers were affected by the Carphone Warehouse attack that affected 2.4 million people, and in February scammers managed to steal thousands of names, contact details and account numbers through a third party contractor. The February attack led to customers being tricked out of thousands of pounds.
TalkTalk is unable to offer assurance that its customers’ data is now secure. Although it says it has taken steps to secure its website, it continues: “Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent.”
But — in an effort to protect against further attacks — it is continuing to update its systems and work with cyber security experts.
“We have carried out a thorough review with the help of leading cyber crime specialists and taken all necessary measures to secure our websites,” TalkTalk said on its website.
What happens next?
The Metropolitan Police Cyber Crime Unit is investigating the attack, as is the Information Commissioner’s Office. TalkTalk has also said: “We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in the future.”
Will TalkTalk face a fine?
The Information Commissioner’s Office has the power to fine up to £500,000 for serious breaches of the data protection act.
As a customer can I receive compensation?
TalkTalk has not yet said if it will be compensating its customers. But when it suffered a similar data breach in February and customers lost thousands of pounds by falling prey to telephone scams, the company wouldn’t reimburse them, according to the Guardian. It was actually an offer of compensation from the scammers that prompted the duped customers to hand over further personal details.