Expert slams TalkTalk security
An expert at Queen's University has said TalkTalk needs to tighen up its security after it suffered a third cyber attack in eight months.
David Crozier was speaking after it emerged that thousands of customers in Northern Ireland could have had their banking details and personal information stolen from the communications company's website.
The phone and broadband provider, which has over 4m UK customers, said potentially all customers could be affected but it was too early to know what data had been accessed.
Yesterday the company confirmed receipt of a ransom note seeking payment from someone who is claiming responsibility for the security attack that could expose the personal details to cyber criminals.
An "Islamic cyber jihadi" group also yesterday claimed responsibility for the breach via a message posted to the Pastebin website.
The Metropolitan Police said no one had been arrested yet but enquiries were ongoing.
In a statement TalkTalk said that a criminal investigation had been launched on Thursday.
It also said there was a chance that some of the following customer data, not all of which was encrypted, had been accessed:
- Names and addresses
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account details
- Credit card and bank details
Mr Crozier said TalkTalk - which is one of the UK's big four so-called quad-play providers (offering telephone, broadband, TV, and mobile services) - needs to "beef up" its security.
"TalkTalk is at fault in terms of the implementation of security on their systems," he said.
"They've been subject to a crime and the police are involved, but good security housekeeping hadn't been in place.
"The company has had security breaches three times in the last eight months so they really should have learned their lesson after the first time."
He added: "Ultimately, security costs a significant amount of money so perhaps they didn't have enough margin on their prices to allow for a really secure system."
Mr Crozier, technical marketing manager from the Centre for Secure Information Technologies at Queen's University, said it was a "very serious" data breach.
"It's a concern that people have access to customer records and their banking and associated credit card detals," he said.
"All consumers can really do is keep an eye on their credit card and bank statements for any suspicious activity that might suggest that someone had used those details to fraudulenly procure funds from their accounts.
"The database that has been hacked hasn't been encrypted, which means the criminals can access bank and credit card details."
Mr Crozier said he expects the company to lose customers in the aftermath of the attack and he said its brand reputation will take a significant hit in terms of being able to attract new customers. He added: "At least they've put their hands up immediately and admitted what has happened this time, whereas in the previous breaches it took some time."
An Ofcom spokesman said the watchdog was aware of a police investigation into a cyber attack on the TalkTalk website.
He added: "The company has assured Ofcom that it is working as a priority to understand exactly what happened, and how customers might be affected."
CEO Dido Harding said TalkTalk took any threat to the security of customers' data extremely seriously.
"TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime impacting an increasing number of individuals and organisations," she said.
This is the third in a spate of cyber attacks affecting TalkTalk customers.
In August the company revealed its mobile sales site was hit by a "sophisticated and co-ordinated cyber attack" in which personal data was breached by criminals.
And in February customers were warned about scammers who managed to steal thousands of account numbers and names from the company's computers.