Almost four years ago, UK ISP ‘TalkTalk’ suffered a major data breach, as a small group of hackers wormed their way into the company’s systems and obtained personal information and bank account details for thousands of customers. The people responsible have since been arrested and TalkTalk was fined £400,000 for poor security practices. Now, the hack is back to haunt them, as it turns out they didn’t properly inform customers that their details were leaked.
The BBC’s Watchdog investigation claims that 4,545 TalkTalk customers were told that they weren’t impacted by the 2015 data breach, which later turned out to be untrue. That means these customers had their full names, addresses, email addresses, dates of birth, customer numbers, phone numbers freely available online, increasing the risk of identity fraud.
TalkTalk told the BBC that this was a case of human error and that misinformed customers have since been contacted to apologise.
David Emm, principal security researcher at Kaspersky Lab UK, has labelled this as “a reminder that online providers not only have a duty of care to secure their customers’, but also to inform them in a timely manner if their data has been compromised”.
“Cybercriminals will never stop trying to compromise systems to obtain valuable information, such as personal customer data, – including personal details, payment card information and other valuable data that can be used for criminal purposes. Businesses should take a step back and re-evaluate their security strategy regularly, to ensure that their security strategy remains effective.”
The TalkTalk hack came to light in October 2015 and impacted close to 157,000 customers in total. The company was already fined £400,000 for poor security practices. Currently, there is no word on an additional fine based on misinforming at risk customers.
KitGuru Says: It is one thing to suffer from a data breach, but misinforming customers that were affected makes matters much worse. Hopefully, this will serve as another reminder to UK companies that they should have proper security procedures in place, in addition to a plan of action to inform customers swiftly if a breach does occur.