UK ISP TalkTalk Admits Illegal Customer Data Breach Fuelled Scam Calls

[Scubbie]

UK ISP TalkTalk Admits Illegal Customer Data Breach Fuelled Scam Calls - ISPreview UK

Low cost broadband and phone provider TalkTalk could be facing a fine from the Information Commissioner’s Office (ICO) after they finally coughed up to a serious customer data breach, which last year caused some of their subscribers to be hit by a spate of Indian-based scam callers.

Admittedly scam calls themselves are nothing new and at some point most of us will have picked up the phone only to be faced with just such a call, often one that claims to require our personal / financial details or which asks you to perform some sort of task on your computer. Calls like this are cleverly crafted, often exhibiting good knowledge of the business they’re impersonating, and adopt various tricks to encourage you to part with your data.

The same might have been true of the scammers that last year targeted TalkTalk customers, many of which claimed to be engineers for the ISP, at least that would have been the case were it not for the fact that they appeared to know an awful lot about their intended targets and related user accounts.

In TalkTalk’s case many of the scam callers said that they wanted to remove a virus/problem from the customer’s computer (the method they propose usually does the opposite) and then proceeded to read out their targets account number, name, phone number and postal address for verification. It’s likely that they could have found the address and name via public sources, but the account number? We note that some customers of BT also received similarly detailed scam calls during early 2014.

At the time TalkTalk said they would investigate and noted that they had “no concrete evidence of a data breach“. Several months have since passed and this week the ISP suddenly began sending out a notice to warn customers about the dangers of scam callers, although those emails don’t include all of the details that can be found on their website.

TalkTalk Statement

“We know some customers are currently being targeted by criminal scammers claiming to be from TalkTalk who have obtained their account and phone number. After further investigation, we’ve become aware that some limited information we have about some of our customers could have been accessed in violation of our security procedures.

We have reported the matter to the Information Commissioner’s Office [ICO] and we’re liaising with them and other official bodies, because unfortunately it is not only our customers who are being targeted by scammers.”

According to TalkTalk, a “detailed investigation” revealed that some customer information, including account numbers (note: no financial or date of birth data was compromised), appears to have been “illegally accessed in violation of our security procedures“. The ISP also claims to be working with an “external specialist security company to take urgent and serious steps to prevent this happening again“. Sadly they wouldn’t share how the breach happened, although if the ICO publishes a report then we may eventually find out.

TalkTalk now claims to have put “every possible measure” in place to try and stop this from happening again. The ISP has also advised customers to take extra care when anybody rings or emails them claiming to be from TalkTalk. The ISP said they would “NEVER” call customers and use an account number to identify you or prove that the call is genuine. The ISP also said they wouldn’t ask you to provide bank details (without specific prior permission), download software on to your computer or demand your account password.

The move to inform customers about all this appears to have been cleverly timed to coincide with the Government’s move this week to introduce tougher measures for tackling nuisance calls and thus it very nearly slipped under our radar, since many other businesses and ISPs have also been putting out similar advisories (most are merely educational). TalkTalk also run their own nuisance call reporting service, although ironically the ISP has in the past been the subject of complaints for making its own such calls (here).

As a rule it’s always wise to ignore any requests for personal or financial details over the phone (unless you’re the one making the call) and, after replacing the handset, always leave the phone for a good 15 minutes+ before calling-out again to a known / legitimate number in case the scammer is still hanging on to the end of your line (BT have separately made some changes to combat this).

[lianne]

I'm a little concerned about the call I got last week. The caller said he was from Talktalk and said there was data breach. he claimed that my information was leaked to the internet and that they monitored suspicious activities in my account. He asked me to provide my credit card number to verify if I made the changes. But instead of giving the info, I hung up. I thought the call was suspicious.

[lianne]

By the way, the caller used this number: ****. I googled it and https://www.callercenter.com/****.html came up along with several complaints against the caller. You guys should check out what the others said about this phone number.

[Scubbie]

Very strange that you should receive a call from someone claiming that they were from TalkTalk when you are posting from the Philipines.