A few days ago, a TalkTalk customer went public with a technical glitch that exposed private account information to a third party. This concerned customer also documented the interactions they had with TalkTalk as they sought to resolve the issue. Find out how TalkTalk acted in response.
TalkTalk Customer Data Casually Revealed
The issues began when a recent TalkTalk broadband customer was trying to sign in to their new account. instead of seeing their own account, they were presented with private information from another unrelated TalkTalk account. All of this occurred on the TalkTalk website earlier this month.
Understandably worried, the new TalkTalk customer reached out to TalkTalk through Twitter in order to make them aware of a potentially serious data breach. However, the TalkTalk's response time and reply left a lot to be desired.
The customer, who is remaining anonymous, recognised that what they saw seemed to point to a "major breach of security regulations" and, more importantly, something that needed to be quickly dealt with.
However, TalkTalk Broadband Customer Services addressed the fact the concerned customer was unable to view their own information due to the bug instead of the revelation of someone else's private details.
Just a few days ago, the customer who raised the issue reported still being able to easily view several database fields of personal information pertaining to a complete stranger:
- Full Name
- Home Address
- Home Phone Number
- Mobile Number
- Personal Email Address
- Telephone Password
What is worrying is that with this amount of personal data being unprotected, a cybercriminal could conceivably impersonate the victim and gain access to other online accounts or banking details.
By this point, the worried customer had had enough of TalkTalk's cavalier attitude and promptly contacted the press.
Additionally, there were several account functions that were apparently active that could have allowed a prankster or fraudster to lock the victim out of their own account. This could have been achieved by changing names, addresses and phone numbers on the account.
TechXpert would like to reiterate that to make such malicious changes to a another person's account, one would need to have the account credentials (username and password) first. Yet in this case, the personal data and account options were visible without needing them.
TalkTalk Response: Was it enough?
Once the customer reached out to the specialist press, TalkTalk commented officially on the issue and finally recognising the "urgency and high priority" of the report.
TalkTalk stated that they had not been affected by a hack and that all internal security was intact. Their position is that is was just a bug that would not be easily repeated.
It is disappointing to see that TalkTalk waited until the press had been made aware of the issue, instead of taking their customer's concerns seriously in the first place.
This isn't TalkTalk's first security breach
In 2015, around 4 million TalkTalk customers were impacted by a massive security breach that exposed a wide range of personal data to fraudsters. This crucially included financial information, that clearly was not sufficiently encrypted.
After dealing with the aftermath of the breach, the Information Commissioners Office (ICO) fined TalkTalk £400,000 due to the severity of the breach.
Four years after that, in 2019, BBC researchers found that several thousand victims of the 2015 breach had not been appropriately notified and that their online identities were still vulnerable to fraud.
What this all shows is a worrying pattern of behaviour by a telecoms company that is wilfully disregarding data security concerns from its own customers.