Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

TalkTalk Faces Ransom Demand After Breach

4 Million Customers at Risk Following Hack Attack
TalkTalk Faces Ransom Demand After Breach

TalkTalk Telecom Group has been hit with a ransom demand, following a "significant" hack attack that remains under investigation. The London-based telecommunications provider has warned that information for up to 4 million customers may have been compromised in the data breach, including payment card accounts and bank details.

See Also: Cyber Insurance Assessment Readiness Checklist

To date, however, it's not clear if the ransom demand has been lodged by whomever hacked the company. "All I can say is that I had personally received a contact from someone purporting - as I say I don't know whether they are or are not - to be the hacker looking for money," Dido Harding, chief executive of TalkTalk, tells the BBC (see TalkTalk Attack Highlights Worldwide Breach Concerns).

After saying Oct. 21 that it was investigating a potential breach, TalkTalk on Oct. 23 issued a warning confirming that it had suffered a "significant and sustained cyberattack on our website." The company says it's assisting with the Metropolitan Police Cyber Crime Unit's related investigation, and has also hired a third-party firm for breach investigation and remediation purposes, which Reuters reports is BAE Systems.

But the full extent of the breach is not yet clear, TalkTalk says. "That investigation is ongoing, but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details."

TalkTalk declined to comment on whether any of the customer or financial data that it was storing was encrypted. But the company says it has arranged to provide a year of free credit monitoring to all customers via Noddle, which is a credit reporting service from credit-reference agency Callcredit, and says that it is contacting all customers with breach-related information and advice around the attack.

The suspected breach and data theft follows TalkTalk in February warning that it had suffered a separate data breach that compromised some customer data - including their account numbers, names and contact information - and that beginning at the end of 2014, scammers had begun using the information to launch social-engineering attacks against its customers (see U.K. Telco Confirms Data Breach).

Russian Islamist Hackers Claim Credit

For this breach, a Pastebin post titled "Message From TalkTalk Hackers" also surfaced Oct. 22, which includes a selection of what is purportedly customer data - although that claim has yet to be verified - and is signed "Muhammed Rises."

"We have made our tracks untraceable through Onion routing, encrypted chat messages, private key emails, hacked servers," the apparently Islamist hackers claim, adding that they are operating from Russia. "We will teach our children to use the Web for Allah."

As part of its investigation, TalkTalk has temporarily deactivated customers' "My Account" webmail access to their email, and said customers will have to change their passwords once TalkTalk reactivates its online password-changing functionality. "We're working to restore My Account as quickly as possible. You don't need to change your password until it is restored," TalkTalk says.

Security experts have advised TalkTalk customers to change their passwords as soon as possible, as well as to monitor bank statements for any signs of fraud.

Attack Impetus

Security experts say the stolen data could be sold on fraudster forums or simply used to make a political point. "We are certain that the compromise of sensitive customer information will hold financial value in the underground and present significant damage to TalkTalk's reputation, which may be capitalized upon by ego- or politically motivated attackers," threat-intelligence firm iSight Partners says in a research note.

Britain's Daily Mirror reports that some TalkTalk customers have reported seeing fraud on the payment cards they registered with the telecommunications provider. But given that some customers also reported that hackers somehow slowed down their broadband connections - which is unlikely, technically speaking - those accounts may not be accurate.

In the wake of some news reports saying the hack attack was the work of "Islamist jihadists," iSight Partners also cautions against taking anything the purported hackers say at face value. "We have previously observed several examples of hacktivist groups claiming affiliation with Islamist extremist groups in order to draw additional attention to their activity or to obfuscate the true origin and motive behind the activity. It is possible that the claimed affiliation with Islamists connected to the TalkTalk breach is similarly false."

The latest TalkTalk breach alert follows U.K.-based mobile phone retailer Carphone Warehouse warning in August that a hack attack against its site may have compromised personal information for up to 2.4 million customers (see Carphone Warehouse Hack Exposes Data of 2.4 Million Customers).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.