TalkTalk Customer Data Breached: Glitch or Worrying Trend?
Earlier this month, a recent TalkTalk Broadband customer made the UK telecoms company aware of a breach that caused a different TalkTalk customer’s personal information to be visible to them. This latest instance of a security bug exposing private data to a third party follows a pattern at TalkTalk. Let’s take a look at whether TalkTalk has learned their lesson.
TalkTalk Customer Account Details Exposed
As reported by ISPreview, a new TalkTalk customer was able to fully view another TalkTalk subscriber’s details unimpeded earlier this month. All they had to do was to attempt signing in to their own account.
The recent TalkTalk customer, who does not wish to be identified, quickly contacted TalkTalk via Twitter. However, they found the turnaround time in dealing with the clearly alarming request to be very much less than ideal.
This seems like a major breach of security regulations and something TalkTalk urgently must fix, I’ve contacted them, and they don’t seem very concerned - Concerned TalkTalk Customer
This raises serious concerns on TalkTalk’s ability to rectify serious issues that impact their customer data. The initial TalkTalk customer care team response insisted that the concerned customer would be able to “see [their] details when the account is activated”.
The concerned customer correctly stated that this response “rather misses the point” which led them to inform the Information Commissioner’s Office (ICO) of the “totally unacceptable” occurrence.
While this is not an isolated issue, when it comes to online accounts, the concerned TalkTalk customer reported still being able to see the following information about the other customer as late as 9th March. This included a full range of sensitive personal information:
- Full Name
- Home Address
- Home Phone Number
- Mobile Number
- Personal Email Address
- Telephone Password
This sensitive information could easily be exploited for phishing or social hacking attacks by malicious or criminal actors. More worryingly, several account actions appeared to still be possible which could lead to irrevocable changes to the TalkTalk account without the rightful account owner being aware.
- Account holder name could be changed with a “Change Name” option
- Home Address change request through a “Moving Home” link
- Mobile Phone change through “Change Mobile”
- Setting a new Telephone Password
If any of the above changes were acted on, the original account owner would be completely locked out of their TalkTalk account. Not only that, but name, address or phone number details could be sold or cross-checked with fraudsters to perpetrate further identity fraud on the unwitting victim.
How did TalkTalk respond?
After the aforementioned website brought the issue to TalkTalk’s attention, TalkTalk issued a statement saying that this was a “matter of urgency and high priority”. However, it would still take a few more days before the issue was fully resolved.
“We have investigated the incident and identified a one-off technical error that led to a limited amount of one customer’s data being visible to the customer ISP Review contacted us about. This issue has now been fully resolved. We are in contact with and have apologised directly to the customer concerned.” - TalkTalk Statement on the issue
TalkTalk clarified that their systems had not been hacked (again) and that there had been no internal breach of protocol leading to this issue. They essentially described this as an edge case that would not be replicated.
While TalkTalk underlined that no customer data was illegally shared and that no sensitive financial information was revealed, it must be added that the visible data would have been sufficient to illicitly obtain further sensitive data including banking records.
Another salient worry in this privacy breach is that TalkTalk only acted after the concerned user had gone to the press - and not before.
Lax data security policies at TalkTalk?
In 2019, a BBC research team found that TalkTalk had not fully made aware over 4500 customers of the privacy impact of a data breach that had occurred four years earlier.
The researchers were able to find personal information through a simple Google search. This included names, addresses, dates of birth as well as bank information for a large number of TalkTalk customers.
There was a real impact to TalkTalk’s lack of transparency regarding the data breach, according to the BBC. A TalkTalk customer found themselves with fraud attempts affecting their personal phone, email and bank account. The attempts were brazen enough that fraudsters were able to impersonate the customer.
While customers at the end of a potential data breach should be the top priority for companies, it seems that TalkTalk hasn’t learned the lessons of their 2015 data breach just quite yet.