The personal details of a number of TalkTalk customers have been stolen. In some cases, the details have been used to scam further information such as bank details from the victims.
TalkTalk is one of the biggest British internet service providers, with more than four million broadband customers. In an email to its customers, the ISP admitted to the breach late last year and said “a small, but nonetheless significant” number of its customers had been contacted by people pretending to be from TalkTalk.
According to a spokesman, the data was taken from TalkTalk’s systems, and the scammers quoted TalkTalk account numbers and phone numbers in order to convince victims to provide access to their computers. TalkTalk’s email suggested that this sometimes yielded sensitive information such as bank details, adding that “in some of these cases we know they may be using the information they have illegally obtained.”
It is so far not terribly clear how many customers’ data was stolen in the first place.
The Guardian reported that this admission lined up with its report in December of a possible data breach associated with one of TalkTalk’s Indian centers, which had resulted in some of the firm’s customers receiving scam calls. It also noted that one customer had been defrauded of more than $4,000 by the scammers.
TalkTalk stressed that bank account details and other sensitive information such as date of birth had not been stolen directly in the breach. In a statement, it said:
As part of our ongoing approach to security we continually test our systems and processes and following further investigation into these reports, we have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.
The ISP also said it was talking to the Information Commissioner’s Office – the British data protection regulator – and has “taken serious steps to remedy this.” The ICO said in a statement: “We are aware of a possible data breach involving TalkTalk and are making enquiries into the circumstances.”
This article was updated at 2.30am PT to amend “the data was taken from TalkTalk’s servers” to “the data was taken from TalkTalk’s systems”, per a correction from the spokesman. It was updated again at 3.30am PT to include the ICO’s brief statement.