TalkTalk hack: Two men plead guilty to TalkTalk hack
Tamworth pair admit to offences under the Computer Misuse act
27/04/2017: Two men have admitted their part in a hacking attempt on TalkTalk's website.
Matthew Hanley, 22, and Connor Allsopp, 20, pleaded guilty to charges relating to the massive data breach in October 2015.
The pair admitted their part in a plot to steal the personal details of thousands of customers, the Old Bailey heard. The pair from Tamworth, Staffordshire, will be sentenced in May.
The court heard how Hanley hacked into TalkTalk's website and obtained a spreadsheet containing TalkTalk customers' details.
Hanley also pleaded guilty yesterday to three offences under the Computer Misuse Act, including the hacking of the TalkTalk website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others.
Allsopp pleaded guilty on 30 March to assisting fraud and sharing a file that could help other hackers.
The Metropolitan Police identified Hanley as a suspect in their investigations and was arrested last October. Officers seized computers and devices from his address but found they had been wiped or the data encrypted so they couldn't access it.
Police then looked at Hanley's social media accounts and found conversations where Hanley had been discussing his involvement and actions in hacking into TalkTalk's website and discussing how he had deleted incriminating data from his computers and encrypted his devices to cover his tracks.
The online conversations also revealed that having stolen data from the telco, Hanley then got Allsopp to try and sell the personal data of customers so that the pair could profit from it.
Police arrested Allsopp this month and showed him these chat logs. Allsopp admitted that he had unsuccessfully tried to sell customer data that Hanley had stolen, as well as sell details of the vulnerabilities on TalkTalk's website that would enable others to hack into it.
Detective chief inspector Andy Gould, from the Met's Falcon Cyber Crime Unit, said that no matter how hard criminals try to conceal their activity, "they will leave some kind of trail behind".
"This investigation has been painstaking and the work our detectives have done to trace and identify those involved has combined cutting-edge digital forensic techniques, with old-fashioned detective work that has led to the conviction of several of those involved and the investigation continues," he added.
The pair are due to be sentenced on 31 May at the Old Bailey.
15/11/2016: A 17-year-old boy has admitted to seven charges of hacking, two of which relate to the TalkTalk data breach in October 2015.
The teenager, who cannot be named for legal reasons, pleaded guilty to all seven offences under the Computer Misuse Act at Norwich Youth Court today.
TalkTalk lost 60 million as a result of the hack, in which 157,000 customers had their details stolen, including bank account numbers, sort codes, and dates of birth.
UK data protection regulator the Information Commissioner's Office (ICO) fined the mobile operator a record 400,000 for the incident. Information Commissioner Elizabeth Denham said last month: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease."
The teenager will be sentenced on 13 December, after also targeting Manchester University Library and Cambridge University Library, among others. According to Sky News, he told the court: "I didn't really think of the consequences at the time. I was just showing off to my mates."
05/10/2016: TalkTalk has been issued with a record 400,000 fine by the Information Commissioner's Office (ICO) following the large-scale data breach in October 2015, due to "security failings".
The ICO's in-depth investigation found that the attack on the company last year could have been prevented if TalkTalk had taken basic steps to protect customers' information and that the firm allowed the cyber attacker to access customer data "with ease".
ICO investigators found that the cyber attack took advantage of technical weaknesses in TalkTalk's systems, allowing attackers to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: "TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease.
"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
The data was taken from an underlying customer database that was part of TalkTalk's acquisition of Tiscali's UK operations in 2009, and was accessed through an attack on three vulnerable webpages within the inherited infrastructure.
The ICO said TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk was also not aware that the installed version of the database software was outdated and was no longer supported by the provider.
A criminal investigation by the Metropolitan Police has been running separately to the ICO's investigation.
A TalkTalk spokesperson did not indicate if the telco will appeal the fine.
They said: "TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
"During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
"As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time."
20/07/2016: Around 9,000 TalkTalk customers left the provider in its latest quarter, as the operator continues to feel the aftereffects of last year's hack that spilt the data of 157,000 users.
Revenues declined 0.4 per cent year-on-year and TalkTalk also lost 23,000 TV customers.
However, it added 48,000 mobile users to its books and 36,000 fibre customers.
TalkTalk CEO Dido Harding said: "We are very pleased with how the year has begun. Revenue growth was level year on year despite a smaller customer base and churn was down year on year as we drove growth in mobile and fibre, and delivered real improvements in our customers' experience.
22/06/2016: TalkTalk's chief executive, Dido Harding, has earned 2.8 million in the last 12 months, despite the performance of the network being subject to a number of hacks and staff's bonuses being cut substantially.
This is almost triple the amount Harding was paid in the previous 12 months and has caused some controversy within the company.
Around 2 million of the Baroness's pay relates to a long-term incentive scheme linked to the company's performance over the last three years, according to The Financial Times, despite profits having declined by 50 per cent over the course of the year.
However, Harding has said that the 220,000 bonus she was supposed to be paid for the last year's performance will be donated instead to the Ambitious About Autism charity, rather than her receiving it. The reason for this, she said, is because the company caused such strife to those involved in the operator's hack in October.
TalkTalk said it would be cutting bonuses of the company's senior staff from 62 per cent to 40 per cent due to profits reducing as a direct result of the hack. It is estimated the slip up will cost TalkTalk 60 million to rectify.
12/05/2016: Customers have forgiven TalkTalk for last year's devastating cyber attack, CEO Dido Harding claimed today, despite profits halving and 100,000 users jumping ship.
The telecoms provider, which released its annual financial report today, was adamant that customers are positive about the company, despite losing thousands of customers' data last October.
Harding said: "The vast majority of customers believe we looked after them. The business bounced back strongly in the final quarter following the cyber attack in October."
She added that the number of customers leaving has been the lowest ever in the last three months, saying this is "testimony to the speed with which customer sentiment towards TalkTalk has recovered", and that "trust in the brand and brand consideration [are] both higher than they were before the attack".
However, the report also revealed that the company lost more than 100,000 customers and had to spend over 40 million as a direct result of the attack, which slashed its annual profits by more than half.
TalkTalk's customer loss only amounts to around three per cent of its total customer base. While this is a substantial loss for a major business, Cable.co.uk telecoms expert Dan Howdle believes that it should have been substantially higher.
"TalkTalk suffered three major security breaches in 2015, something savvy customers should not easily forgive," he said. "That TalkTalk lost only three per cent of its existing customer base, however, points to problems... with the switching process itself."
He pointed out the fact that while the company dished out unconditional free upgrades to its customers in response to the attack, it did not allow unhappy customers to freely leave their contracts.
"Clearly the situation needs improvement. If a provider fails in its remit to protect its customers and their data there should be a free get-out clause. There isn't, and that has allowed TalkTalk to limit the damage the attack caused it," he concluded.
15/04/2016: Over 125,000 customers have abandoned TalkTalk's broadband services during the first four months of this year.
It is estimated that around 17 per cent of their customers are considering leaving their broadband services as well, according to The Register.
TalkTalk has continued to lose broadband customers, but has gained an overall increase of business partly due to lowered prices and promotional offers.
Thus far TalkTalk has had a strong first quarter, with 40 per cent of their new customers choosing to subscribe to their services due to competitive pricing. The company's "triple play" service also yielded an increase of 3.2 per cent, raising their total market share for the category to 12.2 per cent.
BT remains the most dominant provider, having captured nearly one third of the market (31.5 per cent) in competition with other service providers. Their closest competitor, Sky, having recently lost 5 per cent of their market share, now holds 23.3 per cent of the market.
This progress shows that the company is gaining forward momentum since they were hacked, which compromised personal data of over 150,000 customers. The incident ran up a bill of around 60m and a loss of over 100,000 customers.
17/03/2016: TalkTalk is swapping passwords for voice biometrics following the cyber attack that affected 157,000 of its customers.
The mobile operator will let users access their accounts via voice recognition, rather than requesting their passwords or answers to pre-set questions, which may have been compromised by hackers.
Nuance, the company providing TalkTalk with the voice recognition technology, said its software compares a customer's voice to their unique voiceprint and securely authenticates the customer - or flags the call if fraud is suspected.
TalkTalk claimed it is the first mobile operator to introduce the technology, doing so after the cyber attack it suffered cost the firm an estimated 60 million, as well as 100,000 customers leaving the firm.
The banking industry already uses voice recognition, with HSBC most recently deciding to replace passwords with biometrics, also supplied by Nuance.
02/02/2016: TalkTalk has revealed last year's cyber attack cost the company 60 million, almost double an initial estimate.
A trading update on Tuesday revealed that the hack had cost far more than the estimated 35 million, though TalkTalk also experienced revenue growth of 1.8 per cent in Q3, with earnings expected to reach 255 million - 265 millon by the end of the year.
Dido Harding, TalkTalk CEO, said: "It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyber attack. Our customers have responded well, with almost half a million customers choosing to take up our unconditional offer of a free uprade.
"Both churn and new connections recovered during December and January and independent external research has revealed that customers believe that we acted in their best interest. In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident."
28/01/2016: Police have arrested three people at one of TalkTalk's Indian call centres on suspicion of stealing customers' data, sparking further questions about the care with which the telecoms company treats its customer records.
The men were arrested by the Indian authorities in connection with the stolen data, which they allegedly used to make scam calls from a call centre in Kolkata, according to a Channel 4 investigation.
In response, TalkTalk said it is working with international outsourcer Wipro, which runs the call centre, and local police.
The mobile provider said in a statement: "Acting on information supplied by TalkTalk, the local police have arrested three individuals who have breached our policies and the terms of our contract with Wipro. We are also reviewing our relationship with Wipro."
It added: "We are determined to identify and deal effectively with these issues and we will continue to devote significant resource to keeping our customers' data safe. Data theft and scams are a growing issue affecting all businesses and they are notoriously difficult to investigate and prosecute. We are pleased that our investigations have yielded results, and will continue to do everything we can to tackle these crimes."
The incident is only the latest data breach TalkTalk has suffered, and it comes hot on the heels of an attack last October in which 157,000 customers had their details stolen, including bank account numbers, sort codes, and dates of birth.
Information commissioner Christopher Graham told MPs this week that companies needed to strengthen their security to prevent similar data losses, the Financial Times reported.
The Information Commissioner's Office (ICO) is investigating the TalkTalk data breach as part of the Cyber security: Protection of personal data online inquiry.
21/01/2016: Customers are leaving TalkTalk in their droves after the mobile operator's data hack last year, research from Kantar Worldpanel ComTech shows.
Seven per cent of TalkTalk's broadband base switched to a different provider in the fourth quarter of 2015, Kantar's figures show.
The research firm said there was "no doubt" that the company lost potential customers as a result of its data hack.
Almost a fifth of those leaving TalkTalk did so as a direct result of poor reliability a four per cent increase on the previous quarter, when fewer than one per cent cited this reason.
Imran Choudhary, consumer insight director at Kantar Worldpanel, said: "TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack.
"If it's to recover from recent events TalkTalk will need to offer more than just good value."
The telecoms firm's systems were breached last October, and 157,000 customers had their details stolen, which included bank account numbers, sort codes, and dates of birth.
The hack has already cost the company 35 million in one-off costs to resolve the immediate backlash related to 15,600 of those leaked bank details.
TalkTalk chief executive Dido Harding talked down the long-term repercussions for the brand at the time, saying: "Customers think we're doing the right things".
BT benefitted from the exodus, with 12 per cent of its new customers saying their primary reason for joining was because they saw it as a trusted supplier. That figure was twice the market average.
16/12/2015: Police recommended that TalkTalk stayed quiet about attacks on its site while detectives carried out their investigations and made arrests.
At a House of Commons Culture, Media and Sports Committee, CEO Dido Harding told MPs that the cyber attack was "one of the most difficult periods for the TalkTalk board and for me personally".
"It was clear by lunchtime on Thursday (22 October) that the sensible thing to do to protect my customers was to warn all of them because I could help make them safer. I could give them free credit monitoring, I could warn them not to accept these scam calls," she told committee members.
"For completely understandable reasons, the advice we received that Thursday afternoon from the Metropolitan Police was not to tell our customers."
She said she opposed the idea of compensation claims being valid and added she was "not aware of anyone who has directly lost money as a direct consequence of the attack. Any who have suffered a direct financial loss should get in direct contact. We wish to deal with on a case-by-case basis."
Harding added that the Telecoms Ombudsman "is there to adjudicate, and customers not getting fair redress from their insurance company, bank, or telco, should go there."
In reply to questions over who was responsible, Harding said that no one individual in the firm was.
"It really does come back to the CEO and board. Was there sufficient oversight in terms of the security policies, the resourcing of the technology team to implement those policies, and the knowledge and understanding of best practice?
"It is a board level issue, not an individual issue below."
25/11/2015: An 18-year-old boy was arrested in Llanelli, Wales, over the TalkTalk data hack yesterday.
The teenager becomes the fifth person detained in relation to the cybercrime incident and was arrested on suspicion of blackmail, and taken into custody at a Dyfed Powys police station.
The four others arrested a 16-year-old boy from Norwich, on suspicion of offences under the Computer Misuse Act, a 20-year-old man from Staffordshire, a 16-year-old boy from Feltham and a 15-year-old from County Antrim, Ireland, all subsequently bailed.
A total 157,000 customers had data stolen in October's cyber attack, TalkTalk has confirmed, with cybercriminals making off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth.
20/11/2015: A law firm is considering legal action against TalkTalk on behalf of customers whose data was lost in the mobile operator's latest leak.
Hugh James law firm, based in Cardiff, told the Guardian it has been approached by victims of the data breach and is encouraging others to come forward to join a possible group legal action against the company.
Partner Gwen Evans said: "Since the serious security breach occurred last month, we have been approached by a number of TalkTalk customers who are naturally concerned about whether their personal data has been accessed and misused.
"We are considering whether there is a case to take group legal action against TalkTalk because it is highly likely that the Data Protection Act 1998 will have been breached during this time."
A total 157,000 customers had personal data stolen in the October attack, TalkTalk has confirmed.
Cybercriminals also made off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth.
Writing in the Guardian, professor of the public understanding of technology, John Naughton, said the mobile operator's board must take more responsibility for customer security, saying that the company's failure to encrypt users' data cannot be blamed solely on engineers.
"Companies like TalkTalk are up against professional criminals," he wrote. "They, therefore, need to up their amateurish game. If a company's business requires it to store customers' sensitive information, then data security has to be a board-level responsibility, up there with health and safety and regulatory compliance. It is not just a matter for techies and boffins."
He added: "There have to be serious criminal and civil penalties for carelessness, complacency or incompetence.
11/11/2015: TalkTalk's cyber attack will cost it between 30 million and 35 million, it has admitted.
Despite just 160,000 customers losing personal data in last month's hack, shares in the mobile operator have dropped by a quarter since news of the incident went public.
But it blamed one-off costs like the loss of online sales for the predicted dip in earnings, and CEO Dido Harding today announced a string of free offers to customers who have stayed with the firm as a way of thanking them.
Customers can choose a selection of free features, including extra TV channels, a mobile SIM with free texts, data and calls, and unlimited landline and mobile calls from 1 December.
Meanwhile, TalkTalk has announced a new bundle of online and telephone security features, such as F-Secure's anti-virus protection, web filter HomeSafe, and the ability to block cold callers.
Harding said: "TalkTalk takes the security of customers' data extremely seriously and we are taking significant further steps to ensure our systems are protected, as well as writing to all our customers outlining what we are doing to keep their data safe. "In recognition of the unavoidable uncertainty, and because we know that doing what is right for our customers will ensure the best possible outcome for the company over the longer term, we are today announcing the offer of a choice of free upgraded services to all our customers."
06/11/2015: Only 156,959 TalkTalk customers had any personal data stolen in the hack on its systems, the mobile network has claimed - far fewer than the 1.2 million originally feared. Of those, roughly 10 per cent had their bank account number and sort code stolen, about 5,000 fewer than stated last week.
"Ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm only four per cent of TalkTalk customers have any sensitive personal data at risk. However, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails," the company said in an updated statement.
TalkTalk said it has now contacted all customers whose financial details were accessed and will be contacting all other affected customers over the next few days.
The company also claimed that "the financial information accessed cannot on its own lead to financial loss", however, stories of defrauded customers abound, including one man who was offered just 30 as a "goodwill gesture" after 3,500 was stolen from his bank account in the wake of the hack.
04/11/2015: Police have arrested a fourth person in connection with the TalkTalk data hack, this time a 16-year-old boy from Norwich.
The teenager was detained by police yesterday on suspicion of offences under the Computer Misuse Act after the National Crime Agency and the Met's Cyber Crime Unit obtained a warrant to search an address in the city.
The boy has been released on bail until late March 2016, after a 20-year-old man was arrested in Staffordshire in connection with the cybercrime incident, and bailed until early March.
Two other boys a 16-year-old from Feltham and a 15-year-old from County Antrim, Northern Ireland have also been arrested and bailed in connection with the attack.
More than a million customers were affected by the hack, TalkTalk has confirmed, while 21,000 bank account numbers and sort codes were stolen.
03/11/2015: TalkTalk customer data is being sold on the dark web for as little as 20p per record, according to reports.
An LBC investigation claimed it found 2,500 customer accounts on the dark web and used a sample of the data from the criminals selling it to contact victims of the hack, including a woman called Louisa Jenkins.
She told the Nick Ferrari Breakfast show: "I'm quite angry. It feels like your details are never safe."
The news comes days after a Sunday People investigation that found a criminal calling himself Martian claimed to sell TalkTalk data on a dark website called Alpha Bay for 1.62 a time, offering information in bulk.
02/11/2015: Hackers stole 1.2 million customers' email addresses, names and phone numbers in the TalkTalk data breach, the company has confirmed.
However, the cybercriminals only made off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth, the mobile operator said in a statement on its website.
With speculation over just how many of its four million customers were affected by the attack last month, TalkTalk said, "the extent of the data accessed is significantly less than originally suspected".
CEO Dido Harding said: "Today we can confirm that the scale of the attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened and our investigation is still ongoing.
"On behalf of everyone at TalkTalk, I would like to apologise to all of our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that."
Credit and debit card information, which was missing the middle six digits at the time that hackers accessed it, cannot be used to make financial transactions.
TalkTalk has shared the bank details of affected customers with their banks to help prevent fraud and has partnered with credit check company Noddle to offer customers a free year of credit monitoring alerts.
The Metropolitan Police Cyber Crime Unit's criminal investigation is ongoing.
Detective Superintendent Jayne Snelgrove said: "TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter."
He was taken into custody by Staffordshire police on suspicion of offences under the Computer Misuse Act and is the third person held in connection with the case after one 15-year-old boy from Northern Ireland and one 16-year-old boy from west London were arrested and subsequently bailed last week.
The 16-year-old has been bailed until a date as yet to be revealed by police while the 15-year-old from Northern Ireland is on bail until later this month.
30/10/2015: Police have arrested a second teenage boy in connection with the TalkTalk hack, this time, a 16-year-old from West London.
The boy was arrested on suspicion of Computer Misuse Act offences, reports BBC News, but has since been bailed. This follows the arrest of a 15-year-old boy from Northern Ireland, who was arrested earlier in the week.
A property in Liverpool has also been searched, according to the Metropolitan Police.
27/10/2015: TalkTalk has announced it will still charge customers affected by the TalkTalk hack a fee if they want to discontinue their service and cancel their contract.
However, it will waive termination charges if a customer can prove they have had money stolen from their bank accounts, although it denies this is a likely scenario because neither bank details nor credit card information was stolen in the attack.
"In the unlikely event that money is stolen from a customer's bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees," it said in a statement.
Also this morning, the Police Service of Northern Ireland revealed the 15-year-old arrested last night in County Antrim in relation to the hack has been released on police bail pending further enquiries.
However, Jonathan Craig, a member of the Policing Board in Northern Ireland, told the Belfast Telegraph that should the boy be found to be implicated in the attack it "raises questions" for TalkTalk as to how a teenager from County Antrim could have breached a major telecoms provider.
26/10/2015: Labour accused the government of chaos and incompetence over its response to the TalkTalk data breach today, as reports emerged of a 15-year-old boy's arrest in connection with the attack.
Shadow minister for culture and the digital economy Chi Onwurah questioned her Tory counterpart Ed Vaizey over Whitehall's data policy, claiming it has failed to keep up with cybercriminals' endeavour.
Speaking in the House of Commons today, Onwurah said: "This government's data policy is chaos illuminated by occasional flashes of incompetence. Will the minister acknowledge that all the innovation has come from the criminals while the government sit on their hands, leaving it to businesses and consumers to suffer the consequences?"
Her comments came hours before Scotland Yard confirmed a 15-year-old boy had been arrested on suspicion of Computer Misuse Act offences.
The Police Service of Northern Ireland and the Met's cybercrime unit arrested the teenager in County Antrim at 4.20pm today and have taken him into custody.
The hack has led to victims' bank accounts being emptied by cybercriminals, with millions believed to have had their personal details leaked after TalkTalk admitted it had not encrypted customer data.
Vaizey failed to confirm whether or not police would receive more resources to respond to the hacking case and its victims after Onwurah questioned how the government would help police.
Instead, he replied: "The police have extensive resources with which to combat cybercrime, and we are the government who set up the national cybercrime unit.
"We have invested more than 860 million in cyber-security and we have a number of very effective schemes with which to engage business."
TalkTalk reported the breach to UK data watchdog the Information Commissioner's Office on Thursday, Vaizey added, a day after the breach took place.
However, he refused to reveal how many customers TalkTalk believe have been affected by the breach it is thought to be in the millions, but the figure remains unconfirmed.
25/10/2015: TalkTalk has admitted it did not encrypt customer data such as credit card details and telephone numbers after hackers stole potentially millions of customers' information.
CEO Dido Harding told the Sunday Times today: "It wasn't encrypted, nor are you legally required to encrypt it.
"We have complied with all of our legal obligations in terms of storing of financial information."
The mobile operator has four million users but has not confirmed how many it believes were caught up in the data breach it suffered earlier this week.
However, TalkTalk could face thousands of legal claims from victims, with the total payout rising to around 20 million, according to insurance law firm BLM, including the cost of replacing four million credit cards.
Partner and head of technology Tim Smith told the Financial Times: "[It is] quite probable that customers will sue for a breach of the Data Protection Act and a breach of confidence and privacy rights."
Meanwhile, an 80,000 ransom note received by Harding from someone claiming responsibility for the hack included a table of 400,000 TalkTalk customers who have recently undergone credit checks with the company, KrebsOnSecurity reported.
It comes after the Times claimed yesterday that victims' bank accounts had been emptied by hackers, adding that TalkTalk had ignored criticism of its online security a year ago.
23/10/2015 3pm: TalkTalk's CEO has received a ransom note purportedly from the hackers responsible for a huge data hack that could affect millions of customers.
Dido Harding told BBC News: "It is hard for me to give you very much detail, but yes, we have been contacted by, I don't know whether it is an individual or a group, purporting to be the hacker.
"All I can say is that I had personally received a contact from someone purporting - as I say I don't know whether they are or are not - to be the hacker looking for money."
The email will be examined by the Metropolitan Police, which is investigating the hack.
It is not yet clear how many customers' data has been lost in the leak, but TalkTalk has four million users and the information lost includes names, addresses, dates of birth, telephone numbers and credit card details not all of this was encrypted.
The mobile operator lost the data in the middle of a distributed denial of service (DDoS) attack, during which its servers crashed under huge volumes of traffic.
It is believed hackers may have used the DDoS attack to distract TalkTalk's security team while they pinched the data.
The mobile operator has recommended people change their passwords as soon as its site goes back online, and this latest breach is the third in 12 months to hit the company.
What could happen to customers?
Christopher Boyd, malware intelligence analyst at Malwarebytes, said hackers could target customers with phishing attacks now they have their details.
"People should be paying close attention to emails and other communication which appear to be genuine at first glance," said Boyd.
"If those messages are asking for additional information, service sign-ups or providing refund request attachments they should think very carefully before proceeding, lest they fall victim to a malware attack or yet another incident of data theft."
IT security company ESET warned that criminals will also use the data to steal customers' identities.
Security specialist Mark James said: "The data of all their customers will almost certainly be used for potential identity theft along with the obligatory attempts at financial access with any current information they may have attained.
"There was some partial' encryption of credit card numbers, we are led to believe, but businesses need to understand that all our private data has a value, not just the direct financial stuff."
The consequences for TalkTalk
The Information Commissioner's Office (ICO) has been notified of the breach and will investigate it, potentially leading to a fine of up to 500,000 for TalkTalk.
But Mahisha Rupan, senior associate at law firm Kemp Little, said TalkTalk's swift notification to customers of the breach could mitigate any such penalty.
"The ICO is likely to take into account TalkTalk's response to the breach and its attempt to limit any losses incurred by the customer," said Rupan.
ESET's James added that TalkTalk should bolster its security following the attack, saying: "Companies should implement proper use of cryptography, encrypting the sensitive data and hashing the passwords in a cryptographically sound way. We are forced to trust companies with our data and so often that trust is lost through no fault of our own."
23/10/2015 10am: TalkTalk has confirmed that hackers have once again infiltrated its website in what the company has called a "sustained" cyber attack that took place on Wednesday this week.
It is not known just how many of the firm's four million customers have been affected but hackers are believed to have been able to gain access to a wide range of sensitive information including names, addresses, dates of birth, email addresses, telephone numbers and other TalkTalk-specific account data.
Perhaps more concerning for TalkTalk customers is the fact that credit card or bank details have also been exposed as the company confirmed that such information may be among the data hackers had access to during the cyber hack.
Yesterday, the comms giant announced that the Metropolitan Police had launched a full criminal investigation into the issue, in addition to issuing an apology to customers, which started with the words no customer wants to hear: "We're very sorry..."
"We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed," TaklTalk's managing director (consumer) Tristia Harrison said in a statement issued online.
TalkTalk said it had taken measures to secure the website after the hack and that it constantly reviews its system security to protect data and prevent subsequent attacks. However, many users will take convincing as this is not the first time TalkTalk has suffered a data breach. Back in February this year (see story below), the company confirmed hackers had stolen personal user information and were targeting customers with scam phone calls.
"We would like to reassure you that we take any threat to the security of our customers' data very seriously," Harrison's statement continued.
"...Unfortunately, cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent."
The incident has been reported to the ICO and TalkTalk has contained major banks to keep them on high alert for suspicious activity on customer accounts. It has also recommended that customers monitor their own accounts for any unauthorised or unusual activity and to also check their credit reports held with the main agencies Call Credit, Experian and Equifax.
TalkTalk has also addressed frequently asked questions related to the attack online to help customers better understand what has happened and how they might be affected.
In response to the question 'Why were you targeted?' the company has responded: "Unfortunately TalkTalk is by no means an isolated incident. Barely a week goes by now without cybercriminals using increasingly hostile and sophisticated methods to target companies that do business online. It's not just companies like TalkTalk that are being targeted, banks, retailers like Apple and even the US Government have been victims."
27/2/15: TalkTalk has confirmed hackers accessed its systems and stole personal information about its customers, resulting in some receiving follow-up phone calls from scammers.
In a statement issued to IT Pro, TalkTalk confirmed a small number of its four million customers had their account names and numbers compromised.
"We are aware of a small but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," the firm said in a statement.
"We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected."
TalkTalk confirmed the Information Commissioner's Office, which is responsible for enforcing the Data Protection Act, has been made aware of the breach.
The data theft came to light following an uptick in reports from customers about receiving suspicious-sounding phone calls from individuals claiming to work for TalkTalk at the end of 2014, TalkTalk said in an email to customers.
"In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number, as well as their phone number," it states.
"Following further investigation into these reports, we have not become aware that some of the information we have about some customers their name, home address, phone number and TalkTalk account number could have been illegally accessed in violation of our security procedure.
"Please rest assured that your sensitive information of date of birth, bank or credit card details have not been illegally accessed," it adds.
The email then goes on to reiterate that TalkTalk will never take its customers banking details over the phone or ask them to download any kind of software onto their computers.
"Preventing all scam and nuisance calls is a high priority for us. We are doing everything possible to prevent this from happening again, and to protect you from all malicious and nuisance calls.
"In some cases we are able to block certain callers, including those from these criminal organisations, from ringing customers on our network, if they've breached a strict set of criteria.
"You can also block your number from receiving unsolicited sales calls by registering with the Telephone Preference Service," the email concludes.
What to do if you have been affected by the TalkTalk hack
Advice from Wim Remes, Rapid7
"We often hear the question "What can users of a compromised service do?" - If you suspect that personal data is compromised, there are several steps you can take. These are actually the same steps you should consider in order to minimise the impact of a compromise:
- If you have used the same password as for the compromised service anywhere else, change the passwords for all those services. Consider configuring two-factor authentication if the service supports it.
- If your bank allows this, restrict the amount of money that can be transferred without additional authorisation to the lowest possible amount that keeps it practical for you.
- Never perform actions in relation to your bank account or customer record based on a phone call you receive from a self-proclaimed representative of your bank or service provider. It is your right to request additional identification and phone calls, while direct, are never used as a last resort before your account is blocked.
- Watch your bank statements closely and do not keep all money in your current account, just enough to cover expenses/bills for the next 30 days or whatever time period works for you.
- Keep track of all your online accounts and manage them as if they constitute the contracts they are related to. If an online account is not strictly necessary, consider to cancel it in order to limit your data footprint as much as possible."
This article was originally published on 27/02/15 and has since been updated numerous times as new facts emerge, most recently on 16/12/2015.
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security managementDownload now
6 ways your business could suffer if you don’t backup Office 365
Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for goodDownload now
Get the best out of your workforce
7 steps to unleashing their true potential with robotic process automationDownload now
8 digital best practices for IT professionals
Don't leave anything to chance when going digitalDownload now