The TalkTalk breach fallout shows how the theft of Personally Identifiable Information (PII) can be exploited to cause huge loss and damage to individuals and why we should all be demanding proper protection of any personal information we share with others.

Data breaches are often reported in banal terms. There is an element of cynicism, skepticism, and detachment both from the media delivering the news and the public assessing the details. Another breach that won’t affect me? A breach that just exists as an article or news report with no actual cost or damage associated with it?

The Guardian provides an insight as to how personal information is a lethal weapon in the hands of the cunning criminal prepared to prey on the unwary public.

"The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm"

The background is that TalkTalk - a major UK consumer telecomms services provider - suffered a data breach back in 2014. They only became aware of a potential breach after a sudden, sharp rise in customer complaints regarding attempted scam phonecalls. The firm has since conducted a forensic investigation and has unearthed a breach conducted via one of their India-based 3rd party suppliers with access to customer data.

The fallout is serious as the Guardian article shows - armed with just basic personal information, the potential to dupe a victim increases exponentially. If the caller has your name, address and even your account number, then surely it can only be a TalkTalk employee calling? Factor in some scare-tactics - 'You have been hacked and your computer is at risk' - and offer some financial upside - 'We'll compensate you for your trouble' - and it is easy to see how much more likely it would be to caught.

From an information security perspective TalkTalk's governance of their customer data went out of their hands when they allowed their 3rd Party partner access to the data.

The PCI DSS, formulated to protect cardholder data, contains specific guidance to the effect of, if you are entrusting card data to 3rd parties, make sure that these PCI 3rd Party Service Providers also operate robust security best practices. Part of the guidance is also to make sure that your IT Service Providers have provided an appropriate indemnification to you in the event of a breach of their systems. Clearly TalkTalk will be versed in the PCI DSS and ideally the same guidance would have been applied to their customers’ PII.

Now that the data has been stolen, TalkTalk need to take two courses of action. One is to bring legal action against the 3rd Party at fault and as part of any settlement, compensate any victims – this has been reported as being in progress. In parallel with this, they need to find a way to nullify the potential value of the stolen data. The problem they face is that any move now to contact customers with say, new updated account numbers will in itself create confusion and ironically, may create further opportunities for exploitation by the scammers.

Read the full Guardian article here

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.