U.K. ISP TalkTalk gets hacked, the CEO doesn’t even know if data was encrypted

TalkTalk, one of the U.K.’s largest Internet services providers, with more than four million customer accounts, has suffered its third data breach in 2015 — and the latest one is significant.

Founded initially as a subsidiary to the Carphone Warehouse mobile phone retailer, TalkTalk has emerged as one of the preeminent communication brands in the U.K., offering pay TV services, broadband, and a mobile network.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1827186,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']

While the full extent of the latest hack hasn’t yet been revealed, the company has said that it’s likely that names, addresses, dates of birth, telephone numbers, email addresses, TalkTalk account numbers, and bank details have been compromised. Company CEO Dido Harding has said that all four million customers may be impacted, though confirmation of this hasn’t yet been given.

A “significant and sustained cyber attack” on the TalkTalk website was carried out on Wednesday of this week, after which the Metropolitan Police Cyber Crime Unit launched a criminal investigation. News of the breach started to emerge last night (U.K. time), but events took a twist today when Harding revealed she had received an email demanding a ransom from a group claiming responsibility for the attack.

But when asked by the BBC whether customer data was encrypted, she said she didn’t know:

“The awful truth is, I don’t know. I would love to be able to give you that complete and unequivocal assurance. But it would be wrong of me to give you that today, when the amount of data that these criminals have had access to is very large. I don’t want to give a false impression of confidence where I don’t have it.”

That the CEO of a major technology company can simply “not know” whether the data was encrypted is a startling confession, especially given how easy it would have been for her to find out whether it was or wasn’t. But a FAQ section on the company’s website does say:

Not all of the data was encrypted. We constantly review and update our systems to make sure they are as secure as possible. We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future.

But perhaps the most worrying facet of this latest hack is that the company has suffered two previous hits this year.

Back in February, TalkTalk sent an email to every customer warning them that scammers were using stolen data to “trick” people into handing over their bank details, though the actual number of customers whose data was pilfered was just a few thousand. Attackers had infiltrated TalkTalk’s systems and obtained names, addresses, phone numbers, and TalkTalk account numbers — this information was sold and then used by fraudsters to call customers and obtain their bank details.

And back in August, the Carphone Warehouse’s mobile site suffered a data breach that reportedly affected almost 500,000 TalkTalk customers.

Of course, the issue of data breaches has rarely been out the headlines in recent times — the Ashley Madison case is perhaps the most recent example, with tens of millions of users affected. However, the fact that a company can be infiltrated by cyber criminals so often, and still have the CEO not know what data (if any) was encrypted, should be worrying for any TalkTalk customer.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1827186,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']