3.1 What was the attack?
TalkTalk had discovered that their website was being attacked, which forced them to bring down the website to prevent further attacks and to investigate the scope of the damage. It turned out that there were ways to gain unauthorised access to the underlying database that was associated with the website. The database contained personal information such as the names, addresses, phone numbers, email addresses, dates of birth and financial information of TalkTalk’s customers. The company initially feared that personal information belonging to all four million of their customers had been stolen, but later found that the scale of data lost was much smaller. TalkTalk issued a statement in November of the same year confirming the following lost data (BBC News, 2015):
- 156 959 customers had personal details accessed.
- From those customers, 15 656 bank account numbers and sort codes were stolen.
- 28 000 stolen credit and debit card numbers were ‘obscured’ (some digits of the card number were hidden) and ‘cannot be used for financial transactions’.
Nevertheless, for these 156 959 customers, it could have been be the start of a nightmare. They were vulnerable to identity crimes and scams. In fact, a number of customers claimed that they received scam phone calls a few days before TalkTalk disclosed the attack (Bain, 2015). For those who were in a long contract with TalkTalk, this was especially frustrating because TalkTalk did not allow customers to terminate the contract early unless they paid an early termination fee or proved they had suffered financial loss as a result of a scam directly related to this data breach. No doubt this policy angered customers and dented their trust in the company further (Millman, 2017).
In TalkTalk’s quarterly report release in February 2016, the financial loss resulting from the attack was estimated to be £60 million, which included costs related to responding to the incident, extra loads put on the call centres, and repairing vulnerable systems. In three months, TalkTalk also lost 95 000 customers, who left because of the attack (Burgess, 2016).
In addition, the Information Commissioner’s Office (ICO), which is the UK’s independent authority for upholding information rights in the public interest, fined TalkTalk £400 000 for ‘security failings that allowed a cyber attacker to access customer data with ease’ (ICO, 2016). The ICO’s investigation concluded that the attack could have been prevented if TalkTalk had taken basic security measures to protect their systems. The fine was the largest the ICO had ever issued at that time.
To placate their affected customers, TalkTalk offered them free credit monitoring for a year. Credit monitoring is a process of continuously monitoring one’s credit history in order to detect suspicious activity. By following the link below or finding your own resources, identify how a credit report can indicate the key warning signs of identify fraud.
(Open the link in a new tab or window by holding down Ctrl (or Cmd on a Mac) when you click on it).
The following are some key points identified from the web page:
- When a credit application is set up, lenders will usually ‘search’ for your credit rating. By checking the search history on your credit report, you may notice unusual activities.
- The credit report will show your address. If it has been altered by a fraudster, you should notice this.
- The credit report also lists any loans and credit card accounts you applied for. If there are any listed that you didn’t apply for, it is a sign that you are a victim of identity theft.