TalkTalk admits new failings in 2015 data breach notification

TalkTalk’s failure to notify all those affected by its 2015 data breach highlights the importance of data visibility so that breach notifications are fast and accurate – a key requirement of the GDPR

As the EU’s General Data Protection Regulation (GDPR) nears its first anniversary, TalkTalk has admitted that it failed to nofify 4,545 customers affected by the cyber attack in 2015 that exposed personal details of more than 150,000 customers.

The failure came to light after BBC Watchdog Live conducted an investigation in response to viewers who were concerned that they had been affected by the TalkTalk breach, despite the company’s claims to the contrary.

This failure to notify all those affected by the breach highlights the importance of having all the necessary technology, systems and processes in place to enable organisations to collect and correlate breach information quickly and accurately to meet their obligations to notify data protection authorities and affected customers under the GDPR.

An investigation by the BBC’s consumer show revealed that the personal details of 4,545 TalkTalk customers were available online, including their full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details, the BBC reports.

The 2015 breach exposed the accounts of nearly 157,000 TalkTalk customers accessed, including bank account numbers and sort codes of more than 15,000 customers.

The Information Commissioner’s Office (ICO) issued a record fine of £400,000 after finding that the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.

In response to the findings by the recent BBC investigation, TalkTalk said that the failure to notify all those affected by the 2015 breach was “a genuine error” and that it has since written to all affected customers to apologise, adding that 99% of those affected had received the correct notification.

TalkTalk also said that, on their own, none of the details accessed in the 2015 incident could lead to any direct financial loss, but security researcher Scott Helme told the BBC that a fraudster could use the exposed details to set up direct debits and purchase goods or pretend to be the victim’s bank to gain other information about them.

Jake Moore, security specialist at ESET, said informing all customers of a potential data breach should be a top priority for companies.

“They need to make customers aware that they are potentially affected and give advice on next steps for customers. It is becoming a given that companies could get hacked, whatever the company size,” he said.

“However, the most important part of holding on to that reputation is being open, honest and clear about any attack from the earliest opportunity.”

According to Moore, the latest revelations about the TalkTalk breach could further damage their business, and he advises all those potentially affected to take precautions.

“If anyone has a TalkTalk account since before the 2015 breach occurred and have not changed operator, then it would be a good idea to monitor for fraudulent activity on their cards and be extra cautious of targeted phishing attacks. Never click on links in emails you are not expecting – even if they look genuine and personalised,” he said.

Read more about data breaches

Next Steps

US Senate mulling bill on data breach notifications

Read more on Privacy and data protection