The TV Licensing agency has admitted to directing 25,000 viewers to send bank details over an unencrypted connection.
In a statement, the organisation said tens of thousands of customers had sent personal details over an insecure HTTP connection, but that credit and debit card payments were not compromised.
The agency was criticised earlier this month for having an HTTP branch of its website, which didn't redirect to HTTPS, for handling forms for sensitive financial information. TV Licensing subsequently took its website offline as it migrated to the encrypted protocol, and advised 40,000 viewers to check their bank statements for suspicious transfers.
"We can now confirm that fewer than 25k customers sent over unencrypted bank details and that credit and debit cards numbers were always secure," the agency said in a statement sent to IT Pro.
In a FAQ about the reasons for TV Licensing's brief unavailability, the agency said customer payment transactions were still encrypted during the time the HTTP site was used, but that personal data such as names, addresses and bank details were not. "There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously".
12/09/18 - TV Licensing urges thousands of viewers to check bank statements after security lapse
Tens of thousands of television viewers who have entered their details on the TV Licensing website are being urged to check their bank statements for suspicious transactions following a lapse in the site's security.
It warned that from 29 August until around 3.20pm on 5 September 2018, some transactions carried out on the website were "not as secure as they should have been".
The organisation emailed 40,000 people who entered bank account and sort code details telling them to check their bank accounts for suspicious transactions and to make sure direct debits haven't been amended.
It later confirmed that it believes up to 25,000 customers sent unencrypted bank details to the site, although that credit and debit card numbers remained secure.
However, information including names, addresses, and emails is at risk because they were not encrypted when they were transmitted from customers' computers to TV Licensing.
It said in a statement that as soon as the issue was discovered "we took the website offline and fixed it. We're really sorry this happened but want to assure you that the risk to you is low and we've taken action to ensure it doesn't happen again".
Dan Pitman senior solutions architect at Alert Logic, told IT Pro that it would be prudent to cancel any direct debits and call TV Licensing to set up a new one.
"Where financial information combined with emails or other identifying factors are leaked it will enable criminals to put together different sets of data, potentially combining known passwords or personal details with that financial data," he said.
Ryan Wilk, vice president at NuData Security, told IT Pro that data in the wrong hands especially payment card information can have a huge impact on customers, far beyond the unauthorised use of their cards.
"Payment card information, combined with other user data from other breaches and social media, builds a complete profile," he said. "In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world."
