Beleaguered telecoms firm TalkTalk have attempted to downplay the cyber attack in which millions of customer details were stolen.
Data stolen in the cyber attack would not allow criminals to plunder customers’ bank accounts, the company claimed. Complete credit card details are not stored in its system, and account passwords were not accessed.
“We now expect the amount of financial information that may have been accessed to be materially lower than initially believed, and would on its own not enable a criminal to take money from your account,” a spokesman added.
The chief executive of TalkTalk, Dido Harding, insisted that customer bank details have not been compromised. Baroness Harding warned customers never to give out financial details if they are contacted by phone or email by anyone asking for personal information. “TalkTalk will never call you and ask you over the phone to give your personal financial information, we will never call you out of the blue and ask you to give us access to your computer.
“Those are criminals doing that and we all need to make sure that we don’t let them win,” she added.
The phone and broadband provider with more than 4 million UK customers originally described the computer attack as a “serious and sustained” assault, and admitted that banking details and personal information could have been accessed. TalkTalk said it was the third time this year that hackers had stolen confidential information.
It called in police and reportedly received a ransom demand for approximately £80,000 payable in bitcoins, an online virtual currency. The attackers threatened to publish customer data online unless the amount was paid. Scotland Yard declined to comment on the ransom saying its cyber crime unit’s investigation was ongoing.
Several hacking groups have since claimed responsibility for the hack, including one described as a “Russian Islamist group” although there is little evidence to support this.
Online security expert Brian Krebs said promises to post the stolen data appeared on an online black market site that specialised in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier”.
Mr Krebs warned that opportunistic hack attacks were providing criminals with growing blackmail opportunities. “It seems as if the crooks are getting better situational awareness when they break in somewhere for an opportunistic attack to mushroom into something much bigger and most costly for the victim or organisation.”
Anxious TalkTalk customers have lambasted the company’s response to the hack, with scores of people criticising the lack of information from the firm. Several reported attempts, some successful, to target bank accounts or credit cards.
One customer, Hilary Foster, said she had lost £600 from her account, which the bank said it would refund. “I’ve had no phishing calls. I don’t give my information out, and my card hasn’t been out of my possession. It just seems like too much of a coincidence. I’d like TalkTalk to explain how my account was hacked.
“TalkTalk is denying all responsibility. They’re trying to put the blame on customers: there are very few people who fall victim to phishing scams. It still comes down to data not being encrypted. They have to take responsibility. This seems to be a way of stopping people getting out of their contracts early. I can’t imagine anyone picking TalkTalk as a broadband provider now.”
Another customer, Barbara Manley, said she and her husband had lost £9,000 from their bank account on 21 October, after being contacted by a caller purporting to be from TalkTalk on 18 October and then again on 20 October. “They appeared to know all about us and asked my husband to start the computer up and it went on from there,” she said. “It seemed so genuine.”
Customers have been offered free credit monitoring to check whether fraudsters are using stolen details to impersonate them. Business leaders have called for urgent action to tackle cyber crime after the latest attack. The Institute of Directors said that only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”.
The Labour MP Keith Vaz, chair of the influential Home Affairs Select Committee, said his committee warned of the dangers from cyber crime two years ago, and urged greater spending on tackling it.
He said UK-based companies must be “vigilant and robust” in dealing with individuals’ data. “Cyber crime is a really bad crime. Because it does not involve physical violence people don’t realise how serious it is. Two years ago the select committee warned how serious it would be, and asked for more money to be spent on ensuring the police are fully equipped to deal with it.”
He said he was writing to the TalkTalk chairman, Sir Charles Dunstone, to discover why it took the company 36 hours to inform customers of the breach. “It’s unacceptable this should have happened a third time. Frankly, if it happens once and data is compromised most companies would want to do absolutely everything within their power to reassure their millions of customers, and make sure when they seek new customers they can reassure them their data is protected. To have happened three times without effective action being taken is very serious.”
He said police warned him two years ago they were losing the war against cyber crime: “What tends to happen is, if you’re hacked online and money is taken out of your bank account, the banks usually give it back, and therefore people don’t try to find out who is responsible.”
The Government said it was “committed to tackling cyber crime”.