TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

Written by

A mishandled 2015 data breach continues to hound TalkTalk after it emerged that the UK telco failed to notify nearly 5000 customers that had been affected.

After being contacted by viewers who suspected their details had been stolen via the telco, consumer rights program Watchdog Live investigated.

It subsequently found their full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details available via a simple Google search.

“A recent investigation has shown that 4545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize — 99.9% of customers received the correct notification in 2015,” the firm told the BBC in a statement.

“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

The latter may be technically true, but it gaslights the issue somewhat, as fraudsters are more than capable of using such details to impersonate their victims in order to elicit more information which could be monetized.

Affected customers told the show they have been the victim of frequent scam calls, while some have suffered attempted identity fraud which has impacted their credit rating.

The original incident involved the compromise of 157,000 customers, including bank account numbers and sort codes for over 15,000 of them.

It led to a £400,000 fine from regulator the ICO after it was found that attackers had exploited a simple SQL injection flaw in web pages that TalkTalk didn’t even know existed.

The firm was also widely criticized for its incident response, sending out confusing messages via a CEO not in possession of all the facts.

TalkTalk’s profits halved following the incident, with the firm paying £42m to cover incident response, external consulting and increasing call volumes as a result of a breach.

What’s hot on Infosecurity Magazine?