2015 TalkTalk data breach explained

In October 2015, British telecommunications provider TalkTalk experienced a cyber attack that resulted in a data breach. As a consequence, personal and banking details of around 160,000 customers were illegally accessed.[1]

In the course of the attack, TalkTalk received a ransom demand from a group claiming to be responsible. Some customers complained that they were targeted by criminals before TalkTalk disclosed the cyber-attack, and the Chair of the Home Affairs Select Committee said "Suggestions that TalkTalk has covered up both the scale and duration of this attack ... must be thoroughly investigated."[2]

Attack and perpetrators

The attack was carried out using SQL injection.[3]

In September 2016, hacker Daniel Kelley was charged with blackmail, computer hacking, and fraud in connection with the TalkTalk data breach and various other attacks.[4] He pleaded guilty to 11 of the offences later that year. He was sentenced to 4 years jail time in 2019.[5]

In November 2018, two further suspects were found guilty of cybercrime charges in connection with the data breach.[6] [7]

Scope

It was initially thought that up to 4 million customers could be affected by the breach.[8] On 24 October, TalkTalk issued a statement saying that a "materially lower" amount of customers’ financial information was stolen, and that the stolen data was not sufficient for money to be taken from bank accounts.[9] On 6 November, TalkTalk stated that the impact of the breach was "much more limited than initially suspected", adding that 156,959 customer accounts were involved, from which 15,656 sort codes and bank account numbers had been taken. Partial data on 28,000 credit and debit cards was also stolen, but that data was insufficient for carrying out transactions on those cards.[10] TalkTalk stated that the lost data had not been encrypted, and that they had not been legally required to encrypt it.[11]

Aftermath

The direct and indirect costs of the attack for TalkTalk have been estimated at million. On 5 October 2016, TalkTalk was fined £400,000 by the Information Commissioner's Office for its negligence on securing client data.[12] [13]

Notes and References

  1. Web site: 23 October 2015 . TalkTalk cyber-attack: Boss 'very sorry for security breach' . live . https://web.archive.org/web/20151023132433/http://www.bbc.co.uk/news/uk-34615226 . 23 October 2015 . 23 October 2015 . . . dmy-all.
  2. Web site: TalkTalk faces new questions over cyber attack . 2023-08-01 . www.telegraph.co.uk.
  3. Web site: How an outdated database led to a data breach: Unpicking the TalkTalk cyber attack . 2023-07-13 . cyberstart.com . en . 2023-03-14 . https://web.archive.org/web/20230314180110/https://cyberstart.com/blog/how-an-outdated-database-led-to-a-data-breach-unpicking-the-talktalk-cyber-attack/ . live .
  4. News: Press Association . 2016-09-27 . Teenager appears in court over TalkTalk cyber-attack . en-GB . The Guardian . 2023-07-13 . 0261-3077 . 2023-06-14 . https://web.archive.org/web/20230614183928/https://www.theguardian.com/uk-news/2016/sep/27/teenager-accused-of-talktalk-cyber-attack . live .
  5. News: 2019-06-10 . TalkTalk hacker Daniel Kelley sentenced to four years . en-GB . BBC News . 2023-07-13 . 2022-11-01 . https://web.archive.org/web/20221101101620/https://www.bbc.com/news/uk-wales-48587207 . live .
  6. News: 2018-11-19 . TalkTalk hack attack: Friends jailed for cyber-crimes . en-GB . BBC News . 2023-07-13 . 2023-02-05 . https://web.archive.org/web/20230205150557/https://www.bbc.com/news/uk-england-stoke-staffordshire-46264327 . live .
  7. News: Press Association . 2018-11-19 . Two men jailed for involvement in TalkTalk hacking . en-GB . The Guardian . 2023-07-13 . 0261-3077 . 2022-11-26 . https://web.archive.org/web/20221126234749/https://www.theguardian.com/uk-news/2018/nov/19/two-men-jailed-talktalk-hacking-customer-data . live .
  8. News: 2015-10-23 . TalkTalk cyber-attack: Boss 'receives ransom email' . en-GB . BBC News . 2023-07-13 . 2022-11-27 . https://web.archive.org/web/20221127120317/https://www.bbc.com/news/uk-34615226 . live .
  9. News: Gayle . Damien . 2015-10-24 . TalkTalk cyber-attack not as bad as first thought, company says . en-GB . The Guardian . 2023-08-01 . 0261-3077.
  10. News: 2015-11-06 . TalkTalk hack 'affected 157,000 customers' . en-GB . BBC News . 2023-08-01.
  11. Web site: Fiveash . Kelly . TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief . 2023-08-01 . www.theregister.com . en.
  12. Web site: 5 October 2016 . TalkTalk's Cyber Security Negligence Gets Hit With £400,000 ICO Fine . live . https://web.archive.org/web/20161208120834/http://www.silicon.co.uk/security/talktalk-cyber-security-ico-fine-198701 . 8 December 2016 . dmy-all.
  13. News: 5 October 2016 . TalkTalk fined £400,000 over cyber theft . BBC News . live . https://web.archive.org/web/20161122121938/http://www.bbc.co.uk/news/business-37565367 . 22 November 2016 . dmy-all.