Customers of debt-troubled UK internet provider TalkTalk have been given an uncomfortable reminder of the 2015 cyberattack (here), which came after the ISP admitted that it was “investigating” reports on a cybercrime forum that alleged the provider had suffered a new data breach.
According to The Register, a member of the forum claimed that personal data belonging to 18.8 million current and former customers of TalkTalk had been leaked, including – subscriber PINs, first and last names, email addresses, information about customers’ last account access, IP addresses, business and home phone numbers. But no financial details appear to have been exposed.
The breach, which allegedly took place last month, is said to have occurred in an external third-party supplier that is used by TalkTalk. But doubts have also been cast over the figure of 18.8m customers, not least since the provider currently only has 3.6 million customers (including residential, business and wholesale etc.).
However, even accounting for past customers, it would still be a struggle to reach 19m, and that’s before we consider the requirement of data protection laws to erase old data (exemptions do sometimes apply). But debates over the scale of the breach may be at risk of distracting from the negative impact of the alleged breach itself, regardless of how many customers it may involve.
A Spokesperson for TalkTalk said:
“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system.
Our security incident response team is continuing to work with the supplier regarding this matter and protective containment steps were taken immediately. Our investigations are ongoing, however, we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”
As it stands, TalkTalk are still in the early stages of investigating the claim and cannot yet confirm whether any personal data has in fact been breached, although the above statement does appear to hint in that direction. At this point it probably goes without saying that this is the last thing the provider and their customers need, particularly given their recent financial woes.