The TalkTalk breach fallout shows how the theft of Personally Identifiable Information (PII) can be exploited to cause huge loss and damage to individuals and why we should all be demanding proper protection of any personal information we share with others.

Data breaches are often reported in banal terms. There is an element of cynicism, skepticism, and detachment both from the media delivering the news and the public assessing the details. Another breach that won’t affect me? A breach that just exists as an article or news report with no actual cost or damage associated with it?

The Guardian provides an insight as to how personal information is a lethal weapon in the hands of the cunning criminal prepared to prey on the unwary public.

"The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm"

The background is that TalkTalk - a major UK consumer telecomms services provider - suffered a data breach back in 2014. They only became aware of a potential breach after a sudden, sharp rise in customer complaints regarding attempted scam phonecalls. The firm has since conducted a forensic investigation and has unearthed a breach conducted via one of their India-based 3rd party suppliers with access to customer data.

The fallout is serious as the Guardian article shows - armed with just basic personal information, the potential to dupe a victim increases exponentially. If the caller has your name, address and even your account number, then surely it can only be a TalkTalk employee calling? Factor in some scare-tactics - 'You have been hacked and your computer is at risk' - and offer some financial upside - 'We'll compensate you for your trouble' - and it is easy to see how much more likely it would be to caught.

From an information security perspective TalkTalk's governance of their customer data went out of their hands when they allowed their 3rd Party partner access to the data.

The PCI DSS, formulated to protect cardholder data, contains specific guidance to the effect of, if you are entrusting card data to 3rd parties, make sure that these PCI 3rd Party Service Providers also operate robust security best practices. Part of the guidance is also to make sure that your IT Service Providers have provided an appropriate indemnification to you in the event of a breach of their systems. Clearly TalkTalk will be versed in the PCI DSS and ideally the same guidance would have been applied to their customers’ PII.

Now that the data has been stolen, TalkTalk need to take two courses of action. One is to bring legal action against the 3rd Party at fault and as part of any settlement, compensate any victims – this has been reported as being in progress. In parallel with this, they need to find a way to nullify the potential value of the stolen data. The problem they face is that any move now to contact customers with say, new updated account numbers will in itself create confusion and ironically, may create further opportunities for exploitation by the scammers.

Read the full Guardian article here

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JN

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.