2015 TalkTalk data breach

In October 2015, British telecommunications provider TalkTalk experienced a cyber attack that resulted in a data breach. As a consequence, personal and banking details of around 160,000 customers were illegally accessed.[1]

In the course of the attack, TalkTalk received a ransom demand from a group claiming to be responsible. Some customers complained that they were targeted by criminals before TalkTalk disclosed the cyber-attack, and the Chair of the Home Affairs Select Committee said "Suggestions that TalkTalk has covered up both the scale and duration of this attack ... must be thoroughly investigated."[2]

Attack and perpetrators

[edit]

The attack was carried out using SQL injection.[3]

In September 2016, hacker Daniel Kelley was charged with blackmail, computer hacking, and fraud in connection with the TalkTalk data breach and various other attacks.[4] He pleaded guilty to 11 of the offences later that year. He was sentenced to 4 years jail time in 2019.[5]

In November 2018, two further suspects were found guilty of cybercrime charges in connection with the data breach.[6][7]

Scope

[edit]

It was initially thought that up to 4 million customers could be affected by the breach.[8] On 24 October, TalkTalk issued a statement saying that a "materially lower" amount of customers’ financial information was stolen, and that the stolen data was not sufficient for money to be taken from bank accounts.[9] On 6 November, TalkTalk stated that the impact of the breach was "much more limited than initially suspected", adding that 156,959 customer accounts were involved, from which 15,656 sort codes and bank account numbers had been taken. Partial data on 28,000 credit and debit cards was also stolen, but that data was insufficient for carrying out transactions on those cards.[10] TalkTalk stated that the lost data had not been encrypted, and that they had not been legally required to encrypt it.[11]

Aftermath

[edit]

The direct and indirect costs of the attack for TalkTalk have been estimated at £77 million.[5] On 5 October 2016, TalkTalk was fined £400,000 by the Information Commissioner's Office for its negligence on securing client data.[12][13]

References

[edit]
  1. ^ "TalkTalk cyber-attack: Boss 'very sorry for security breach'". BBC News. BBC. 23 October 2015. Archived from the original on 23 October 2015. Retrieved 23 October 2015.
  2. ^ "TalkTalk faces new questions over cyber attack". www.telegraph.co.uk. 23 October 2015. Retrieved 2023-08-01.
  3. ^ "How an outdated database led to a data breach: Unpicking the TalkTalk cyber attack". cyberstart.com. Archived from the original on 2023-03-14. Retrieved 2023-07-13.
  4. ^ "Teenager appears in court over TalkTalk cyber-attack". The Guardian. Press Association. 2016-09-27. ISSN 0261-3077. Archived from the original on 2023-06-14. Retrieved 2023-07-13.
  5. ^ a b "TalkTalk hacker Daniel Kelley sentenced to four years". BBC News. 2019-06-10. Archived from the original on 2022-11-01. Retrieved 2023-07-13.
  6. ^ "TalkTalk hack attack: Friends jailed for cyber-crimes". BBC News. 2018-11-19. Archived from the original on 2023-02-05. Retrieved 2023-07-13.
  7. ^ "Two men jailed for involvement in TalkTalk hacking". The Guardian. Press Association. 2018-11-19. ISSN 0261-3077. Archived from the original on 2022-11-26. Retrieved 2023-07-13.
  8. ^ "TalkTalk cyber-attack: Boss 'receives ransom email'". BBC News. 2015-10-23. Archived from the original on 2022-11-27. Retrieved 2023-07-13.
  9. ^ Gayle, Damien (2015-10-24). "TalkTalk cyber-attack not as bad as first thought, company says". The Guardian. ISSN 0261-3077. Retrieved 2023-08-01.
  10. ^ "TalkTalk hack 'affected 157,000 customers'". BBC News. 2015-11-06. Retrieved 2023-08-01.
  11. ^ Fiveash, Kelly. "TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief". www.theregister.com. Retrieved 2023-08-01.
  12. ^ "TalkTalk's Cyber Security Negligence Gets Hit With £400,000 ICO Fine". 5 October 2016. Archived from the original on 8 December 2016.
  13. ^ "TalkTalk fined £400,000 over cyber theft". BBC News. 5 October 2016. Archived from the original on 22 November 2016.