The TalkTalk breach fallout shows how the theft of Personally Identifiable Information (PII) can be exploited to cause huge loss and damage to individuals and why we should all be demanding proper protection of any personal information we share with others.
Data breaches are often reported in banal terms. There is an element of cynicism, skepticism, and detachment both from the media delivering the news and the public assessing the details. Another breach that won’t affect me? A breach that just exists as an article or news report with no actual cost or damage associated with it?
The Guardian provides an insight as to how personal information is a lethal weapon in the hands of the cunning criminal prepared to prey on the unwary public.
"The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm"
The background is that TalkTalk - a major UK consumer telecomms services provider - suffered a data breach back in 2014. They only became aware of a potential breach after a sudden, sharp rise in customer complaints regarding attempted scam phonecalls. The firm has since conducted a forensic investigation and has unearthed a breach conducted via one of their India-based 3rd party suppliers with access to customer data.
The fallout is serious as the Guardian article shows - armed with just basic personal information, the potential to dupe a victim increases exponentially. If the caller has your name, address and even your account number, then surely it can only be a TalkTalk employee calling? Factor in some scare-tactics - 'You have been hacked and your computer is at risk' - and offer some financial upside - 'We'll compensate you for your trouble' - and it is easy to see how much more likely it would be to caught.
From an information security perspective TalkTalk's governance of their customer data went out of their hands when they allowed their 3rd Party partner access to the data.
The PCI DSS, formulated to protect cardholder data, contains specific guidance to the effect of, if you are entrusting card data to 3rd parties, make sure that these PCI 3rd Party Service Providers also operate robust security best practices. Part of the guidance is also to make sure that your IT Service Providers have provided an appropriate indemnification to you in the event of a breach of their systems. Clearly TalkTalk will be versed in the PCI DSS and ideally the same guidance would have been applied to their customers’ PII.
Now that the data has been stolen, TalkTalk need to take two courses of action. One is to bring legal action against the 3rd Party at fault and as part of any settlement, compensate any victims – this has been reported as being in progress. In parallel with this, they need to find a way to nullify the potential value of the stolen data. The problem they face is that any move now to contact customers with say, new updated account numbers will in itself create confusion and ironically, may create further opportunities for exploitation by the scammers.
Read the full Guardian article here