The TalkTalk breach fallout shows how the theft of Personally Identifiable Information (PII) can be exploited to cause huge loss and damage to individuals and why we should all be demanding proper protection of any personal information we share with others.

Data breaches are often reported in banal terms. There is an element of cynicism, skepticism, and detachment both from the media delivering the news and the public assessing the details. Another breach that won’t affect me? A breach that just exists as an article or news report with no actual cost or damage associated with it?

The Guardian provides an insight as to how personal information is a lethal weapon in the hands of the cunning criminal prepared to prey on the unwary public.

"The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm"

The background is that TalkTalk - a major UK consumer telecomms services provider - suffered a data breach back in 2014. They only became aware of a potential breach after a sudden, sharp rise in customer complaints regarding attempted scam phonecalls. The firm has since conducted a forensic investigation and has unearthed a breach conducted via one of their India-based 3rd party suppliers with access to customer data.

The fallout is serious as the Guardian article shows - armed with just basic personal information, the potential to dupe a victim increases exponentially. If the caller has your name, address and even your account number, then surely it can only be a TalkTalk employee calling? Factor in some scare-tactics - 'You have been hacked and your computer is at risk' - and offer some financial upside - 'We'll compensate you for your trouble' - and it is easy to see how much more likely it would be to caught.

From an information security perspective TalkTalk's governance of their customer data went out of their hands when they allowed their 3rd Party partner access to the data.

The PCI DSS, formulated to protect cardholder data, contains specific guidance to the effect of, if you are entrusting card data to 3rd parties, make sure that these PCI 3rd Party Service Providers also operate robust security best practices. Part of the guidance is also to make sure that your IT Service Providers have provided an appropriate indemnification to you in the event of a breach of their systems. Clearly TalkTalk will be versed in the PCI DSS and ideally the same guidance would have been applied to their customers’ PII.

Now that the data has been stolen, TalkTalk need to take two courses of action. One is to bring legal action against the 3rd Party at fault and as part of any settlement, compensate any victims – this has been reported as being in progress. In parallel with this, they need to find a way to nullify the potential value of the stolen data. The problem they face is that any move now to contact customers with say, new updated account numbers will in itself create confusion and ironically, may create further opportunities for exploitation by the scammers.

Read the full Guardian article here

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.