The breach was reportedly discovered late last year (between October and December, although some also saw occurrences from August) after TalkTalk saw complaints spike on calls from spammers, pretending to be from the company's support team. The firm now taking action against this third-party, which The Guardian says is an Indian call centre.
The initial point of access also remains unknown at this time, although it appears the third-party contractor – which had access to customer accounts – was compromised allowing fraudsters to access client information and use this knowledge to call and convince customers that they were from the customer service division.
One customer, HR consultant Graeme Smith, said he was contacted by a woman with an Indian accent claiming to be from TalkTalk, which seemed credible as she knew both his name and account number. Then told that of an alleged hacking attempt on his account, Smith was subsequently asked to download some software onto his PC so to enable an engineer to look at the problem and remove ‘malicious files'. He was also asked to give his bank details to receive compensation for the trouble.
However, Smith later checked his bank account and saw a deduction of £2,815. His bank, Santander, have refused to compensate him according to reporters at The Guardian.
Other customers affected have reported that information stolen included names, addresses, phone numbers and TalkTalk account numbers, although TalkTalk itself says that “no sensitive information”, including payment data, went missing during the attack.
The company has sent emails to every customer although only a few thousand account numbers are believed to be affected. It has also set up a dedicated phone help line for those targeted, and is working closely with the Information Commissioner's Office (ICO).
Leanne Dodson, cyber-security expert at PA Consulting Group, told SCMagazineUK.com that this was a classic case of social engineering.
“It appears that this latest TalkTalk breach was a social engineering attack, involving the use of confidential data from an earlier third party contractor breach. Although this data was non-financial and therefore perceived as low value, it was then used to lure customers into believing the caller was a genuine TalkTalk employee.
“It is vital that organisations maintain the integrity and confidentiality of their data, and this includes data accessed by suppliers and third parties.”
On what TalkTalk needs to do next, she added: “Something like this could have been avoided if customers were alerted when the initial breach occurred, alerting them to be suspicious of calls or emails including this information. TalkTalk needs to alert customers immediately about this scam to avoid further customers falling foul to this vishing attempt.”
She also added that individuals should ask for the full name and role of person calling and then hang up and call back the organisation (using a number on a bill or reputable search engine). Furthermore, she stressed that users should never give control of their computer over the phone.
Ross Brewer, VP and managing director for international markets at LogRhythm, told journalists in an email: “This TalkTalk breach highlights not just the importance of organisations ensuring their own security policies are up to scratch, but also that of their third parties,” he said. “TalkTalk has done a great job in reacting to the situation by investigating when unusual events were reported, and then quickly informing customers of the situation.
“It's now clear just how important it is to have the ability to identify and respond to threats in as little time as possible. While it seems TalkTalk has responded relatively quickly, it was through a rise in complaints from customers – rather than the company itself identifying unusual activity on its networks. Most organisations currently operate in a mode where the time it takes to detect and respond to threats is months – or weeks at best.”
“Traditionally, organisations have taken a relatively reactive approach to cyber-security, but faced with the sophisticated threats of today, this needs to change. However, there is so much noise on the network these days, with vast quantities of data moving around at breakneck speeds, that it can be difficult to proactively identify threats. Security intelligence techniques allow security teams to see through the fog and target the threats that matter, so they can respond quickly and efficiently. The faster businesses can find and shut-down threats, the more work hackers will have to do to succeed and, with any luck, one day in the future they'll get tired of trying.”