Details stemming from a devastating 2015 TalkTalk data breach have been discovered online, much to the chagrin of customers whom the company had previously told were not affected.
Sensitive details for thousands of customers of British telecommunications company TalkTalk have been discovered online, despite the fact that they were told their data had not been stolen.
Bank account details, dates of birth, mobile numbers and more were all accessed by cybercriminals during a 2015 data breach that affected 157,000 customers.
The attack resulted from a combined distributed denial of service (DDoS) attack and an SQL injection against TalkTalk’s website.
At the time, TalkTalk admitted that more than 15,600 bank account numbers and sort codes were stolen. A number of arrests were made in connection with the attack and TalkTalk’s value plummeted by about a third. The Information Commissioner’s Office (ICO) handed down a record-breaking £400,000 fine, citing the “seriousness of the event” and the severity of the security failures that allowed the attack to succeeded with ease.
Yet recent revelations paint an even grimmer picture, with an additional 4,545 people found to be affected by the breach despite being previously assured that their information had not been compromised.
The recent news was first unearthed by BBC consumer show BBC Watchdog, which investigated and found personal details from these customers available online after a Google search.
When presented with the new evidence, TalkTalk said that it was a “genuine error” and that the company had since reached out to those impacted. It maintains: “On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”
Many of the affected users reported to Watchdog Live that they had been bombarded with scam calls and, in some cases, experienced attempted fraud and identity theft, which impacted their credit rating.
The data could feasibly be used to fuel social engineering attacks – in other words, impersonating a victim’s bank and duping them into revealing payment details. The details could also be used to sign up for services and set up direct debits, therefore purchasing goods on a victim’s behalf.