The UK telecommunications provider TalkTalk has made headlines in recent weeks following a breach against its website. Initially, the incident was believed to have compromised the personal and financial information of as many as four million TalkTalk customers. However, these estimates have since been revised as a result of an ongoing investigation led by London’s Metropolitan Police.
To clarify the development of this ongoing story, we have compiled a timeline of the events surrounding the TalkTalk breach thus far:
October 21, 2015
Richard De Vere, the Principal Consultant for the AntiSocial Engineer Ltd., contacts TalkTalk to inform them of a serious vulnerability. Senior techs at the company spend an hour on the phone with the researcher as he explains how it is possible to steal sensitive data from their sites.
Later that day, Down Detector records a spike in technical issues associated with TalkTalk. Some customers report issues with making calls, whereas others complain that they cannot log into their mail. Eventually, the ISP’s website becomes unavailable altogether.
Upon inquiry, a TalkTalk spokesman tells The Register:
“We have taken down talktalk.co.uk temporarily, and normal service will be resumed as soon as possible. Our taking down of the website is not related to a broadband outage.”
October 23, 2015
Trista Harrison, Managing Director (Consumer) of TalkTalk, posts an update on the company’s website explaining that TalkTalk suffered a “significant and sustained cyber attack” on Wednesday, October 21st.
Harrison goes on to explain that the names, addresses, dates of birth, and credit card/bank details of as many as four million TalkTalk customers might have been compromised by the hack. As of a result of this potential risk to customers’ personal information, Dido Harding, the chief executive of the company, urges customers to be wary of unexpected phone calls that ask for personal information with respect to their TalkTalk accounts.
On that same day, Harding confirms that TalkTalk received a ransom message in the form of an email from a group of hackers allegedly responsible for the breach. The company’s CEO cannot determine whether the email is genuine but the Metropolitan Police states that it will incorporate the email into its investigation of the incident.
October 24, 2015
Reports begin circulating online of hackers having used TalkTalk customers’ credit card details and banking accounts to make fraudulent purchases. One customer, Hilary Foster, a barrister’s clerk from southwest London, states that scammers stole cash from her bank account and used it to purchase £600 worth of goods before the card was blocked, whereas another user reports that the hackers interfered with his broadband connection.
October 25, 2015
Mike Barrie, a TalkTalk customer, expresses his belief to BBC News that the company might have been hacked “a couple of months ago” when he received a fraudulent phone call from a fake TalkTalk employee. Barrie attempted to report the incident to TalkTalk at the time, but the company allegedly “didn’t seem very interested.”
This fraudulent call might have been part of a larger campaign during which scammers phished for customers’ sensitive information following an earlier data breach that occurred at the company.
Later that day, TalkTalk releases an update in which it reveals that the attack targeted its website and not its core systems. The company explains that it does not store credit card details on its website, meaning that the amount of financial information accessed by the hackers is likely much lower than originally thought.
The company also states that account passwords were not accessed, that the Metropolitan Police Cyber Crime Unit criminal investigation is ongoing, and that it is preparing to investigate thousands of cases, such as those of Hilary Foster where customers lost money as a result of the breach.
October 26, 2015
TalkTalk confuses many in the information security community when it states that it has become a victim of a “sequential attack.” Many in the industry, including tech journalists with The Register, correct the company and state that it experienced an SQL-injection attack and not a second assault.
At the same time, the Cyber Crime Unit of the Metropolitan Police confirms the arrest of a 15-year-old teen in Northern Ireland in connection with the TalkTalk breach. The County Antrim police station states that it intends to interview the suspect while a search of the address is conducted.
October 30, 2015
The Metropolitan Police release an update with regards to their investigation. Among other things, it reveals that it executed a search warrant at an address in Feltham and arrested another 16-year-old teenager on suspicion of having violated the Computer Misuse Act. The statement also notes that a second search occurred at a property in Liverpool for reasons that have yet to be disclosed.
TalkTalk also posts an update to its own investigation of the breach. It reports:
“The extent of the data accessed is significantly less than originally suspected.”
The update goes on to state that less than 21,000 unique bank account numbers and sort codes, less than 28,000 obscured credit and debit card details, less than 15,000 customer dates of birth, and less than 1.2 million customer email addresses, names and phone numbers were compromised in the hack.
TalkTalk goes on to explain that it has begun to notify affected customers that their information was exposed by the breach. This news come on the heels of certain revelations that customers whose data was exposed in a TalkTalk breach in November of 2014 are still fighting for compensation from the UK telecommunications provider.
October 31, 2015
The Metropolitan Police Cyber Crime Unit arrests a 20-year-old man on Saturday in connection with the TalkTalk breach after obtaining a search warrant for a property in south Staffordshire. That individual posts bail a day later, pending further inquiries.
November 3, 2015
It is announced that a fourth individual has been arrested by the Metropolitan Police in alleged connection with the data theft that affected TalkTalk’s website. The individual, a 16-year-old boy, is detained by the police following the execution of a search warrant in Norwich. Meanwhile, the Metropolitan Police confirms that the previous three individuals arrested in connection with the breach have all since been bailed.
Please stay tuned for more developments regarding the TalkTalk breach. This post will be periodically updated.
November 6, 2015
TalkTalk reveals that the actual scope of the breach against its website is “much more limited than initially suspected”. As reported by the BBC, the company states that 156,959 customers’ personal information was compromised and that 15,656 banking details and/or sort codes were stolen. Additionally, 28,000 payment cards were “obscured” and “cannot be used for financial transactions”. By this time, TalkTalk has contacted all customers whose financial information was exposed. The company announces that it will begin contacting all other affected customers in the coming days.
November 8, 2015
Laywers representing the Northern Irish teen who was arrested on October 26 on suspicion of having participated in the breach against TalkTalk file a lawsuit against three UK national newspapers—The Sun, Daily Mail, and The Daily Telgraph–over allegations that they violated the boy’s privacy by revealing his actual identity in some of their news stories. Google and Twitter are also named in another legal action pertaining to the teen’s privacy in a Belfast high court.
November 11, 2015
In a trading update, TalkTalk reports that the total cost of the damages it expects to incur as a result of the October data breach will range between £30 million and £35 million. These damages, the company goes on to explain, are largely due to a “loss of online sales and service capability.”
Harding also announces that the company will offer all customers a free upgrade, which can include free premium movies and sports programming for a certain period, a mobile SIM, or unlimited UK landline and mobile calls, as “a small gesture of goodwill after a period of uncertainty.” TalkTalk goes on to clarify, however, that customers interested in terminating their contract with the company cannot do so for free unless they can prove that their finances had been directly affected by the breach
November 25, 2015
UK officials confirm the arrest of a fifth suspect in connection with the breach. Unlike the other suspects, the 18-year-old individual was apprehended on suspicion of blackmail after police executed a search warrant on on a property in Llanello, Wales. At this time, the teen has not been released on bail, and it is not believed he violated the Computer Misuse Act.
Title image courtesy of ShutterStock