Hack Brief: TalkTalk Now Says Hackers Only Hit 4 Percent of Its Users
When the UK telecom TalkTalk admitted it had been hit with a “significant and sustained cyberattack” last month, the security community imagined sophisticated Chinese hackers—not the gaggle of British teenagers who were later arrested for the breach. Now it seems TalkTalk may have overblown the damage from that breach too, raising fears of a massive data spill when in fact just 4 percent of its customers were hit.
The Hack—And Who’s Affected
On Friday, TalkTalk published a new statement about its October 21st hacker attack, revising the total number of victims down from potentially all of its customers to just 156,959. That’s a serious relief for the company and its customers, but nonetheless represents a serious, if smaller, data breach. In its statement, TalkTalk admits that hackers stole just over 15,000 victims’ bank account information, and 28,000 partial credit card numbers—though they say that the information isn’t enough for the cards to be used for fraud. But the company, which declined WIRED’s request for further comment, still hasn’t revealed exactly what other data might have been lost in the breach, such as usernames and passwords.
Since its breach, TalkTalk’s public response has been roundly criticized by the security community for its utter lack of information. Even now, the company isn’t commenting on whether the stolen user information was encrypted. And despite the good news that the breach was smaller than imagined, the company’s handling of the hacker attack illustrates how damaging a literally clueless initial reaction to a hacker attack can be. TalkTalk’s stock has fallen more than 30 percent in value since the breach.
“Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected,” the company’s statement reads. “It was a difficult decision to notify all our customers of the risk before we could establish the real extent of any data loss. We believe we had a responsibility to warn customers ahead of having the clarity we are finally able to give today.”
How Serious Is This?
TalkTalk says it’s reaching out to all 157,000 victims of the breach and offering them free credit monitoring. But if TalkTalk did in fact fail to encrypt its customers’ details like usernames and passwords for their online accounts, they still face the risk that those credentials could be leaked or sold to fraudsters. The company’s customers should reset not only their TalkTalk password, but those of any other accounts where they used the same password.
British police have already arrested four individuals suspected in the TalkTalk attack—a 15-year-old, two 16-year-olds, and a 20-year-old man, all from different cities around the UK. But the damage has been done—and much of that damage, it now seems, by TalkTalk’s own public relations team.