TalkTalk hit with record fine for data breach

Company ordered to pay £400,000 for security failings that led to theft of 150,000 customers' details

(Image credit: LEON NEAL/AFP/Getty Images)

TalkTalk hack to cost £35m - but won't dent profits

11 November

TalkTalk chief executive expects the total bill in the wake of its recent cyber-attack to be as much as £35m, but does not think this will affect its projection of profits for this year as a whole.

Dido Harding told the BBC total one-off costs would be between £30m and £35m. This covers "the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result".

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.


Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

The bill is much lower than had been expected – and reflects recent messages from the firm that the scale of the data breach was less severe than had been initially feared. Having issued a warning the day after the attack that all four million of its customers could be affected and that financial information is at risk, it has since emerged that 157,000 accounts were accessed and only incomplete financial information obtained.

TalkTalk has continued to warn customers they need to be vigilant against so-called "phishing scams" – fraudsters using personal information to trick individuals into giving up bank details. It has also offered all customers a free upgrade to compensate for "uncertainty", a response to criticism after it refuse to waive early exit fees for customers who have not lost money as a result of the incident.

The message on costs came as the company said it still expects to hit its full-year profit target of £300m – and actually increased its dividend by 15p to 5.29p per share, The Guardian reports. TalkTalk’s stock had risen 12 per cent by mid-afternoon on Wednesday to 243.5p, although this is still below the 290p at which it traded prior to the hack being exposed.

US charges

Elsewhere three men have been charged in relation to the largest cyber-attack on financial firms in US history, The Independent reports. Personal information of around 100 million people was accessed between 2012 and this summer, with data including names, addresses, emails and phone numbers of more than 83 million customers of US bank JPMorgan Chase obtained in summer 2014 alone.

Charged in the indictment in New York were Gery Shalon, 31, of Savyon, Israel; Ziv Orenstein, 40, of Bat Hefer, Israel and Joshua Samuel Aaron, 31, a US citizen living in Moscow and Tel Aviv, Israel.

The men "allegedly manipulated stock prices by selling shares of companies to individuals whose contact information they had stolen, before dumping their own shares and causing the price to fall", the Independent says. They were also charged with running an illegal payment processing business that collected $18m (£11.9m) in fees.

TalkTalk investors cheer latest hack details

06 November

Having initially briefed that every one of its four million accounts may have been accessed, TalkTalk has been trying to reassure its customers and investors over the scale of its recent data breach.

Last week the company said the cyber-attack had been much less severe than first feared. Today it published information on its website claiming that just 157,000 of its customers' details were accessed. This means just four per cent of users are at risk of fraud – and it maintains none are at risk of the direct fraud of their bank or credit cards being used without their knowledge.

In an update on its website, TalkTalk specifically revealed that 156,959 customers had personal details accessed, the BBC reports. Of these, 15,656 bank account numbers and sort codes were stolen, although this is typically not sufficient information to buy goods with and is the same information as is printed on any cheque.

Hackers acquired the credit and debit card numbers of 28,000 customers, the Daily Telegraph adds, but these were said to have been "obscured" and "orphaned" from the accounts to which they relate and so "cannot be used for financial transactions".

The company stressed that two million pieces of personal and account data were accessed in total and that customers should continue to be vigilant against attempts to extract further data through "phishing scams". This is when a scammer makes unsolicited contact posing as a company using personal data, in an attempt to extract bank or other financial details.

TalkTalk chief executive Dido Harding defended the decision to warn of a potentially more severe breach, despite this causing a selloff on its shares that has wiped a quarter from its market value. She said it had "a responsibility to warn customers ahead of having the clarity we are finally able to give today".

Shares have risen 2.6 per cent to 226.5p.

Police have announced that a fourth person arrested in connection with the hacking has been arrested and bailed. Three of the four have been teenagers between 15 and 16 years old, which the Telegraph says raises "questions about the standard of TalkTalk's security measures".

TalkTalk hack: another teenager arrested over attack

30 October

A second teenager has been arrested in connection with the hacking of mobile operator TalkTalk, which exposed the personal and financial details of four million customers and was originally thought to have been the work of 'cyber-jihadists' based in Russia.

A 16-year-old boy was arrested on suspicion of Computer Misuse Act offences in Feltham, West London and later bailed, the BBC reports. The development follows the arrest earlier this week of a 15-year-old in Northern Ireland in connection with similar offences.

Police have also searched a residential address in Liverpool. The Metropolitan Police cyber crime unit is working with in officers in Northern Ireland and the National Crime Agency, the British equivalent of the FBI, The Guardian adds.

News of the cyber attack first emerged last Wednesday, when TalkTalk chief executive Dido Harding warned it was possible all of its four million account holders were affected and that financial information had been accessed.

She has since said that the breach was less severe than first thought and that the stolen financial data was insufficient to steal money from customers.

Arguments have been ongoing about exemptions from exit fees for customers seeking to leave the network, which has been connected with three apparent data breaches in the past year. It has said it will only waive the charges where theft is shown to have taken place.

Elsewhere, MPs are to launch an inquiry into the cyber-attack, the BBC says.

Culture minister Ed Vaizey has indicated the government is not against compulsory encryption for firms holding customer data. TalkTalk's financial data was only partially encrypted prior to the attack.

TalkTalk hack: was it just a 15-year-old boy after all?

27 October

The TalkTalk cyber-attack, which affected four million customers and has prompted the company's shares to dive in recent days, may have been the work of a 15-year-old boy from Northern Ireland.

The BBC reports the teenager was arrested on Monday on suspicion of Computer Misuse Act offences. According to an announcement from Scotland Yard, which is coordinating a joint investigation involving the Metropolitan Police Cyber Crime Unit and the Police Service of Northern Ireland (PSNI), a house was also searched in County Antrim

The searches are ongoing and the boy is being questioned by detectives from the PSNI.

If it turns out to have been an elaborate prank by one of a generation of children referred to colloquially as "cyber-natives", it will be a relief for the company and its customers. Investors were certainly taking heart, with shares up more than nine per cent this morning after recent steep falls.

But questions will persist over how secure the company's systems are given a child was able to infiltrate them from a home computer.

Compensation claims

The news comes as TalkTalk continues to face criticism from customers wanting to walk away after the recent security breach, which is the third the company has been exposed to over the past year (see below).

Complaints, in particular, are mounting over TalkTalk's refusal to offer exemptions to exit fees for customers who want to leave before their contract ends. The Daily Telegraph notes that TalkTalk will have to allow people to exit at no cost if it is found guilty of negligence, but until then the company says it will not waive fees unless a customer has been the victim of theft related to the breach.

At the weekend, TalkTalk's chief executive Dido Harding insisted this was unlikely, telling interviewers that the hack was less severe than previously thought. It affected the company's website rather than core networks, credit card details were not taken in full and accessible bank details are thought insufficient on their own to allow access to accounts.

TalkTalk's breach is currently being investigated by the Information Commissioner's Office, which has the power to hand down modest fines of up to £500,000, The Guardian notes. It is also being reviewed by Ofcom.

TalkTalk hack: who's to blame and what to do to protect yourself

26 October

TalkTalk has suffered a third online security issue in less than a year after a major data breach put the personal and bank details of millions of customers at risk. The company eventually received a ransom demand from the alleged culprits – but has maintained that customers' bank accounts are secure and hit back against critics. Here’s everything you need to know.

What has happened?

On Wednesday the mobile operator's servers came under a "sustained external attack", Reuters reports. The company issued a statement on Thursday evening warning customers that their personal details such as "names, addresses, date of birth, phone numbers [and] email addresses" may have been accessed, as well as "credit card details and/or bank details".

Am I at risk?

If you are a TalkTalk customer, potentially. The company has said the breach could affect all of its four million users.

What should I be looking out for?

TalkTalk has said that you should "keep an eye on your accounts over the next few months" and report anything suspicious to your bank or Action Fraud, The Guardian notes. Unlike an online data breach at Carphone Warehouse in August, which also affected some TalkTalk customers, "not all" of the bank details which may have been accessed were encrypted.

Personal information can also be used to defraud people. Between December 2014 and February 2015 hundreds of TalkTalk customers reported they were getting unsolicited calls claiming to be from the company. The calls quoted personal and account information in an effort to persuade them to reveal their bank details. One customer told The Guardian he lost £2,815 from his account.

Some customers have already reported receiving calls from potential scammers after the attack. Experts advise that if you receive a call from someone claiming to be from TalkTalk, do not give away any financial information. The firm said it would never call customers to ask for bank details and there is no reason why it should be asking you for such information unless you're setting up a new account.

Who is behind the attack?

Former Scotland Yard cybercrime detective Adrian Culley told the BBC this morning that a "cyber-jihadist group" based in Russia calling itself "TalkTalk Hackers" had released what appears to be customer information in an effort to claim responsibility for the attack. If it was such a group, it is more likely they will try to extort a ransom out of the company than defraud individual customers.

In fact, the company later confirmed it had received a ransom demand. The risk for customers is that if the company does not pay and the group is not caught, it may resort to publishing the details or using them to steal money directly.

Culley warned that "just because a group claims they are behind the attack, it does not mean it is true".

What has TalkTalk done?

Culley says the company's response has been "exemplary". TalkTalk has got the police involved and notified customers at an early stage – far earlier, in fact, than Carphone Warehouse did after the last attack in August. The company has shut down the 'My Account' access to the website.

Was its security lax?

That's what an IT researcher has told the press. He says he raised concerns with chief executive Dido Harding's office last year, but that this clearly failed to result in adequate action.

Harding has hit back, saying TalkTalk's security has improved dramatically in the past year and that it is "head and shoulders above"some competitors and critics. She added that bank details that were not encrypted would not allow access to accounts as the long card numbers needed to make payments were at least partially hidden.

How is TalkTalk being affected?

Some customers are very angry that the company, described as one of the smaller mobile operators, has suffered another data breach. TalkTalk may not have been directly targeted in the August breach – and has not accepted liability for the issues reported earlier in the year – but for many of its customers the cyber-attack on Wednesday may be reason to switch to a larger rival.

One customer, Malcolm Hepple, told the BBC: "What is the point of TalkTalk asking customers to change their passwords if they are so inept as to allow three breaches of security within the last year, and two within the last two months. I shall be moving to another subscriber as soon as possible."

Investors are clearly worried about how this might play out, as shares lost 4.4 per cent on Friday and they tanked another nine per cent in early trading this morning.

Is TalkTalk the only company to have been targeted by online attacks?

Far from it. Earlier this month it emerged that T-Mobile in the US had suffered a major security breach. The mobile operator is one of a growing number of businesses on the other side of the Atlantic to be hit by cyber attacks. Companies that have been targeted in recent years include – famously – the adultery website Ashley Madison, as well as Sony Pictures and retailers such as Home Depot, Target and eBay.

Even this latest breach may not be confined to TalkTalk. The BBC's business editor Kamal Ahmed says there was a "significant upsurge" in companies reporting attacks on Wednesday, the day TalkTalk was infiltrated. "Some appear to be connected with extortion, with ransoms demanded in Bitcoins."

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.