TalkTalk Data Breach Exposes Customers to Phone Scams

Thousands of TalkTalk customers have been potentially exposed to telephone-based fraud scams after hackers managed to access personal details via one of the telco’s contracted third parties.

The firm was forced to send its customers an email last week revealing that phone fraudsters were using the stolen information to trick customers into handing over their bank details, or downloading malware on their PCs.

A website FAQ page had the following:

“Received a call claiming to be from TalkTalk? Recently there has been an increase in the number of cases of scammers claiming to be from TalkTalk preying on our customers, and some of them were quoting their TalkTalk account number as well as their phone number. 

After further investigation, we’ve become aware that some limited information we have about some of our customers could have been accessed in violation of our security procedures.”

TalkTalk was at pains to point out that no date of birth, bank or card details had been accessed, but admitted to the BBC that the number of customers affected was in the “small thousands.”

The telco claimed that it was only alerted to the situation after experiencing a rise in the number of customers complaining that they’d been targeted by vishers late last year.

It added:

“As part of our ongoing approach to security, we constantly test our systems and processes using external security specialists. We have put every possible measure in place to try and stop this from happening again.

We have reported the matter to the Information Commissioner’s Office and we're liaising with them and other official bodies because these scammers are targeting every sector.”

The third party company in question is now the subject of legal action by TalkTalk and the telco said it had worked with a specialist security firm to remediate the problems which led to the data breach.

The ICO has a help page about nuisance calls here.

“Everyone needs to be on their guard for unsolicited emails and phone calls. If in doubt, go the extra mile to confirm that the person contacting you is legitimate and from the company they say they are,” advised security expert Graham Cluley.

“Often the best way is to visit the company's real website, and look for a contact number there rather than trusting them to identify themselves truthfully if they call you.”

What’s Hot on Infosecurity Magazine?