Talk Talk attack in UK prompts demands for increased regulation

October 25, 2015 |

The Talk Talk breach has had knock on effects, none good for TalkTalk Breach.  The regulator, the Information Commissioner’s Office, has become involved.  The ICO issued a release stating:

“The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the Police.

“Any time personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings. There are tips and information about identity theft available on our website.”

The ICO will no doubt be thorough and impartial. The problem for any organisation is that the regulator will go where the evidence takes it.  In the past the regulator has been advised of a breach only to find that there were even more eggregious practices which actually attracted the censure.  A regulator will look at all of an organisations processes, policies and programs relating to data storage and protection.  It is uncommon for an organisation to have only one area of non compliance.  Compliance tends to be a cultural and systemic issue.

The TalkTalk breach has prompted calls for increased powers to deal with on line fraud.  This is reported by the Guardian in TalkTalk cyber-attack sparks calls for new regulatory powers.  It is probably prudent to review the regulation but the better immediate problem is to comply properly with the current laws and put the resources into proper data protection and countering cyber attacks. Having the laws in place means little if it is not properly enforced.  Adding further regulation does not, in and of itself, improve compliance and reduce the effects of cyber attacks.

It provides:

Regulators must be given significant new “US-style” powers to tackle the escalating problem of online fraud in the wake of the cyberattack that potentially potentially compromised the security of millions of TalkTalk customers, IT experts said. Their call came amid warnings that the security breach at the telecoms provider could cause problems for its victims that will last for years.

Some TalkTalk customers have complained that their bank accounts and credit cards have been targeted since Wednesday’s attack. But the TalkTalk chief executive, Dido Harding, insisted the data stolen in the cyberattack would not allow criminals to plunder customers’ bank accounts.

TalkTalk said complete credit card details are not stored in its system and that account passwords were not accessed. “We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account,” a spokesman added.

Earlier in the week, experts had warned the information seized – including names, addresses, date of birth, and email address of some of its four million customers – could still prove invaluable to criminals.

“With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road,” said Ryan Wilk, director with NuData Security.

Experts predicted that the company could expect a grilling from the Information Commissioner’s Office which has issued guidance to customers who fear their personal details may have been accessed by criminals. It is likely to be asked about what steps it has taken to comply with stringent PCI/DSS regulations – the global standards set up by transaction companies such as MasterCard and Visa – that require companies to silo and isolate sensitive financial data.

Firms have to complete a PCI audit every year. How TalkTalk responded to the audits may be crucial as to whether it is fined by the ICO, suggested Dr Simon Moores, a former government technology adviser and chair of the International eCrime Congress, the industry body that brings together IT professionals working for governments and law enforcement agencies.

The ICO can impose penalties of up to £500,000 for companies that allow data protection breaches. But this is only a fraction of the amount that can be imposed in the US. Telecom giant AT&T was recently fined £17m over data breaches at its call centres in Mexico, Colombia and the Philippines.

“In light of the TalkTalk debacle, not only must the ICO review its powers and the levels of fine it can apply against companies shown to be remiss in looking after their customers, but the Financial Conduct Authority and parliament need to look more closely at this, given the extent of data breaches starting to appear,” Moores said.

Politicians on all sides signalled that they believed the law needed an overhaul.

Former home office minister Hazel Blears described the TalkTalk data breach as “a wake-up call” that should prompt a debate about whether further regulation was needed, suggesting cybercrime was “probably the biggest threat to our economy”.

Labour shadow cabinet minister Chi Onwurah has tabled parliamentary questions for the Department of Culture, Media and Sport asking how victims of data breaches can be informed and compensated.

“When you lose somebody’s data, you give the thieves a gateway into people’s lives,” Onwurah said. “I’m calling for a code of practice to encourage companies to take greater responsibility for data loss so that if an insurer loses your details and you get a hundred calls a week flogging PPI they have to compensate you.”
Advertisement

Some experts have called for the government to give a cabinet minister clear responsiblity for cybersecurity. At the moment various Whitehall departments have a role in countering the threat.

Joanna Sheilds, minister for internet safety and security, has a brief largely focused on protecting children online.

Questions remain about who was behind the attack. TalkTalk said it had been contacted by someone seeking a ransom payment, but the company was not sure if the message was genuine.

Harding said that “with the benefit of hindsight”, it was evident that TalkTalk had not done enough to protect itself. The latest breach is the third in a spate of cyber-attacks affecting the company in the last eight months. In August its mobile sales site was hit. In February its customers were warned about scammers who stole thousands of account numbers and names from the company’s computers.

In response to reports that it had been warned by experts about its security, a spokesman for the firm said: “New techniques for attack develop all the time, so TalkTalk constantly updates and reviews our systems to try to stay one step ahead of cybercriminals. Since the previous attacks, we are working with world leading cybersecurity experts and investing a lot in making sure our system is as secure as possible. Unfortunately, no system is ever totally invincible.”

The company’s accounts, published in June, reveal that a Head of Security was appointed “to establish and oversee the new Security Operations Centre, the activities of which have been outsourced to cyber security experts BAe systems.”

But, despite its efforts, Moores said searching questions would be asked about the company and its management.

Moores said: “Everything we have seen suggests that Talk Talk historically may have failed to take reasonable steps and that the CEO appears completely out of touch with the risks that are widely described. For that at least, she will have to answer to both her board and her customers.”

TalkTalk has made a very considerable in providing regular updates, Website attack affecting our customers, trying to give a clearer idea of what had happened.  It is quite a sophisticated and impressive approach.  Much better than the bland and factless statements that many organisations provide when suffering a data breach.
The updates state:

3:30pm – 24/10/2015 – Latest Update

The investigations by TalkTalk and the Metropolitan Police Cyber Crime Unit into the cyber attack continue.  We can confirm that the latest update of our investigation is as follows:

  • This cyber attack was on our website not our core systems
  • We can confirm that we do not store complete credit card details on the website; any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions eg 012345xxxxxx 6789
  • TalkTalk My Account passwords have not been accessed
  • We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account
  • The Metropolitan Police Cyber Crime Unit criminal investigation continues

All customers should:

  • Sign up to your free credit reporting service using this code: TT231. We have partnered with Noddle, one of the leading credit reference agencies, to offer 12 months of credit monitoring alerts for all TalkTalk customers. To sign up for Noddle and get your free credit monitoring alerts follow these steps.
  • Change your passwords – While TalkTalk My Account passwords have not been accessed, it would be prudent to change your TalkTalk password once this service is back up and running, and any other accounts that use the same password.  We will update as soon as services are restored
  • Report anything suspicious – Keep an eye on your bank account and report anything unusual to your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk
  • Stay vigilant – TalkTalk will NEVER call customers and ask you to provide personal details or passwords. Please take all steps to check the true identity of any organisation that calls requesting for personal information. You can call us on 0800 083 2710 or 0141 230 0707.

1:15pm – 24/10/2015

We are investigating reports that customers’ bank accounts have been affected as a result of this week’s criminal attack, although at this stage there is no evidence that this is the case.

We do know that there are a small number of customers who have previously been targeted by criminals and fallen victim to scams, and we are continuing to support those affected.

5:45pm – 23/10/2015 – Credit monitoring for all customers

We are continuing to work closely with the Metropolitan Police Cyber Crime Unit and security experts following the major criminal cyber-attack on our website.

At the same time, our priority continues to be explaining the steps you should take to protect yourselves.  We have emailed customers and continue to use the media and other channels to update you as the situation develops.

We know that issues like this can be worrying so we’ve partnered with Noddle, a credit reporting service from Callcredit, one of the leading credit reference agencies, to offer 12 months of credit monitoring alerts for free.  This service can now be activated by using the following code: TT231.

To sign up for Noddle and get your free credit monitoring alerts follow these steps.

We are also working hard to get our services back up securely so they are available for customers to use safely and securely as soon as possible.

We are extremely sorry for any concern and inconvenience this incident may have caused you. 

A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website. That investigation is ongoing, but  unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details. We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

What have we done since we identified we’d been attacked?

As soon as we realised this, we shut down the website and we’ve been working with leading cybercrime specialists and the Metropolitan Police Cyber Crime Unit to establish exactly what happened and whether any of your individual information has been accessed.

We have begun contacting every customer directly, but in the meantime we’re working with the media to ensure customers get the information they need as quickly as possible.  

How have our customers been affected?

The investigation is still ongoing, but unfortunately there is a chance that some of the following data may have been compromised:

  • Names
  • Addresses
  • Dates of birth
  • Email addresses
  • Telephone numbers
  • TalkTalk account information
  • Credit card details and/or bank details
We’d like to reassure customers that we take the security of your data very seriously. We constantly review and update our systems to make sure they’re as secure as possible and we’re taking all the necessary steps to understand this incident and to protect them as best we can against similar attacks in future.

What we are doing right now?

  • We are contacting all our customers by email and letter straight away to let them know what has happened and we will keep them up to date as we learn more. Whilst we send those letters we’re working with the media to ensure customers get the information they need as quickly as possible.
  • Since we discovered the attack on Wednesday, we’ve worked to secure the website. 
  • Together with cybercrime experts, the security services and the police, we’re continuing to complete a thorough investigation.
  • We have contacted the Information Commissioner’s Office to share details of the attack.
  • We’ve contacted the major banks, and they are monitoring for any suspicious activity on our customers’ accounts.
  • We are offering a year’s free credit monitoring for all of our customers and will be contacting customers with the details. Noddle (www.noddle.co.uk) also allows free access to your credit report for life.

What you can do

  • Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via www.actionfraud.police.uk
  • If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.
  • Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax.

Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.

TalkTalk will also NEVER

  • Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems.
  • Call you and ask you to download software onto your computer, unless you have previously contacted TalkTalk, discussed and agreed a call back for this to take place.
  • Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security.

We understand this will be concerning and frustrating, and we want to reassure you that we are continuing to take every action possible to keep your information safe.

What has happened here?

Yesterday (Thursday 22nd October), a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website yesterday.

That investigation is ongoing, but unfortunately there is a chance some customer data may have been compromised. We’re continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

As a precautionary measure, we’re contacting all our customers immediately advising them on what to do.

What customer details may have been compromised?

The police are still investigating the exact circumstances of the attack and the extent of information accessed. There is a chance that some of the following customer data has been compromised:

  • Name
  • Address
  • Date of birth
  • Email address
  • Telephone number
  • TalkTalk account information
  • Credit card details
  • Bank account details

What are you doing about it?

We’ve been working around the clock with the police and cyber security experts to understand what happened, and what data was taken.

  • We’re contacting all of our customers straight away to let them know what has happened and we will keep you up to date as we learn more. Whilst we contact customers directly, we’re working with the media to ensure people get the information they need as quickly as possible.  
  • We have taken all necessary measures to secure the website.
  • We have contacted the Information Commissioner’s Office to share details of the attack. 
  • We’ve contacted the major banks, and they are monitoring for any suspicious activity on our customers’ accounts.
  • We are offering a year’s free credit monitoring for all of our customers and will be in touch on this shortly.

What should I do about it?

  • Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via www.actionfraud.police.uk
  • If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.
  • Check your credit report with the main credit agencies: Call Credit, Experian and Equifax. Noddle also allows free access to your credit report for life. 

How do I change my My Account password?

We’re still working to ensure My Account is safe and secure and for now, you won’t be able to login and change your password. Once My Account is back online, you’ll be able to change your password quickly and easily. Unfortunately, it’s only possible to change your password through our website – we can’t help if you call us about this. We’ll post an update here and on Twitter @TalkTalkCare as soon as My Account is available again 

One Response to “Talk Talk attack in UK prompts demands for increased regulation”

  1. Talk Talk attack in UK prompts demands for increased regulation | Australian Law Blogs

    […] Talk Talk attack in UK prompts demands for increased regulation […]

Leave a Reply