TV Licensing admits it led 25,000 people to send unencrypted bank details

The agency previously warned that transactions carried out on its website were "not as secure as they should have been"

TV

The TV Licensing agency has admitted to directing 25,000 viewers to send bank details over an unencrypted connection.

In a statement, the organisation said tens of thousands of customers had sent personal details over an insecure HTTP connection, but that credit and debit card payments were not compromised.

The agency was criticised earlier this month for having an HTTP branch of its website, which didn't redirect to HTTPS, for handling forms for sensitive financial information. TV Licensing subsequently took its website offline as it migrated to the encrypted protocol, and advised 40,000 viewers to check their bank statements for suspicious transfers.  

"We can now confirm that fewer than 25k customers sent over unencrypted bank details and that credit and debit cards numbers were always secure," the agency said in a statement sent to IT Pro

Advertisement
Advertisement - Article continues below

In a FAQ about the reasons for TV Licensing's brief unavailability, the agency said customer payment transactions were still encrypted during the time the HTTP site was used, but that personal data such as names, addresses and bank details were not. "There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously".

12/09/18 - TV Licensing urges thousands of viewers to check bank statements after security lapse

Tens of thousands of television viewers who have entered their details on the TV Licensing website are being urged to check their bank statements for suspicious transactions following a lapse in the site's security.

It warned that from 29 August until around 3.20pm on 5 September 2018, some transactions carried out on the website were "not as secure as they should have been".

The organisation emailed 40,000 people who entered bank account and sort code details telling them to check their bank accounts for suspicious transactions and to make sure direct debits haven't been amended.

It later confirmed that it believes up to 25,000 customers sent unencrypted bank details to the site, although that credit and debit card numbers remained secure.

However, information including names, addresses, and emails is at risk because they were not encrypted when they were transmitted from customers' computers to TV Licensing.

It said in a statement that as soon as the issue was discovered "we took the website offline and fixed it. We're really sorry this happened but want to assure you that the risk to you is low and we've taken action to ensure it doesn't happen again".

Dan Pitman senior solutions architect at Alert Logic, told IT Pro that it would be prudent to cancel any direct debits and call TV Licensing to set up a new one.

"Where financial information combined with emails or other identifying factors are leaked it will enable criminals to put together different sets of data, potentially combining known passwords or personal details with that financial data," he said.

Advertisement
Advertisement - Article continues below

Ryan Wilk, vice president at NuData Security, told IT Pro that data in the wrong hands especially payment card information can have a huge impact on customers, far beyond the unauthorised use of their cards.

"Payment card information, combined with other user data from other breaches and social media, builds a complete profile," he said. "In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world." 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019