TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

The New Acunetix V12 Engine


So it turns out the TalkTalk hack is a lot more serious than they initially tried to make it out to be, TalkTalk claimed that it’s core system wasn’t compromised and only the website was breached.

TalkTalk Hack - Breach WAS Serious & Disclosed Bank Details

But now they’ve admitted the hackers got away with bank account numbers, partial credit card numbers and dates of birth.

British telecoms company TalkTalk has published information regarding the details accessed by hackers in the recent data breach, and law enforcement has announced the arrest of a third suspect in the case.

Shortly after launching an investigation into the incident, TalkTalk attempted to downplay the incident saying that the attackers only breached its website and not its core systems, and that the amount of data exposed is significantly smaller than initially believed.

The company has now revealed that the hackers gained access to less than 21,000 bank account numbers and sort codes, less than 28,000 credit and debit cards, and less than 15,000 dates of birth. As it stated earlier in the investigation, the payment card numbers compromised in the breach are incomplete (i.e. six middle digits are blanked out), which means fraudsters cannot use the information directly to steal money from bank accounts.

TalkTalk also reported that the attackers accessed the names, email addresses and phone numbers of less than 1.2 million customers. The data, allegedly obtained by hackers after exploiting a SQL injection vulnerability, has been reportedly sold on cybercrime forums.

All affected individuals will be contacted and informed about the type of information that has been compromised.


The bad guys also got access to limited details from over 1 Million customers, which is a pretty serious leak. There have been some arrests in the UK since the incident, but mostly young teenagers who maybe got hold of the exploit later or took part in the DDoS.

I don’t really see a 16 year old from Norwich being the mastermind of a complex attack like this. Thankfully for TalkTalk the credit card details were stored with the middle 6 digits missing, so they are pretty useless to carders.

“As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers’ accounts in the highly unlikely event that a criminal attempts to defraud them,” TalkTalk said on Friday. “We also encourage you to take up the free 12 months of credit monitoring alerts with Noddle, one of the leading credit reference agencies.”

While the compromised data cannot be used directly to steal money from accounts, it can be highly useful for social engineering attacks, and now that TalkTalk told customers to expect to be contacted, such schemes could become even more successful. TalkTalk users have been warned that scammers and cybercriminals might leverage the recent incident to trick them into handing over bank details and passwords (TalkTalk says it will only ask for two digits), and installing malicious software.

The Metropolitan Police announced over the weekend the arrest of a third suspect in this case, a 20-year-old man from Staffordshire. Investigators had previously arrested a 15-year-old boy from Northern Ireland, and a 16-year-old from Feltham.

The teens were arrested on suspicion of committing offences covered by the Computer Misuse Act, and were later released on bail.

It’s certainly an interesting case, and from the way TalkTalk has acted – it could possibly go even deeper than this. With them already proving they are fully capable of covering up what really happened (at least for a limited time period).

I expect much more news to be cropping up over this in the coming months, if you want to see an absolute train wreck, just watch these:

Talk Talk CEO Dido Harding on the cyber attack – Newsnight
TalkTalk boss: I won’t guarantee against future hacks

Source: Security Week

Posted in: Exploits/Vulnerabilities, Legal Issues, Privacy


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.