So it turns out the TalkTalk hack is a lot more serious than they initially tried to make it out to be, TalkTalk claimed that it’s core system wasn’t compromised and only the website was breached.
But now they’ve admitted the hackers got away with bank account numbers, partial credit card numbers and dates of birth.
British telecoms company TalkTalk has published information regarding the details accessed by hackers in the recent data breach, and law enforcement has announced the arrest of a third suspect in the case.
Shortly after launching an investigation into the incident, TalkTalk attempted to downplay the incident saying that the attackers only breached its website and not its core systems, and that the amount of data exposed is significantly smaller than initially believed.
The company has now revealed that the hackers gained access to less than 21,000 bank account numbers and sort codes, less than 28,000 credit and debit cards, and less than 15,000 dates of birth. As it stated earlier in the investigation, the payment card numbers compromised in the breach are incomplete (i.e. six middle digits are blanked out), which means fraudsters cannot use the information directly to steal money from bank accounts.
TalkTalk also reported that the attackers accessed the names, email addresses and phone numbers of less than 1.2 million customers. The data, allegedly obtained by hackers after exploiting a SQL injection vulnerability, has been reportedly sold on cybercrime forums.
All affected individuals will be contacted and informed about the type of information that has been compromised.
The bad guys also got access to limited details from over 1 Million customers, which is a pretty serious leak. There have been some arrests in the UK since the incident, but mostly young teenagers who maybe got hold of the exploit later or took part in the DDoS.
I don’t really see a 16 year old from Norwich being the mastermind of a complex attack like this. Thankfully for TalkTalk the credit card details were stored with the middle 6 digits missing, so they are pretty useless to carders.
“As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers’ accounts in the highly unlikely event that a criminal attempts to defraud them,” TalkTalk said on Friday. “We also encourage you to take up the free 12 months of credit monitoring alerts with Noddle, one of the leading credit reference agencies.”
While the compromised data cannot be used directly to steal money from accounts, it can be highly useful for social engineering attacks, and now that TalkTalk told customers to expect to be contacted, such schemes could become even more successful. TalkTalk users have been warned that scammers and cybercriminals might leverage the recent incident to trick them into handing over bank details and passwords (TalkTalk says it will only ask for two digits), and installing malicious software.
The Metropolitan Police announced over the weekend the arrest of a third suspect in this case, a 20-year-old man from Staffordshire. Investigators had previously arrested a 15-year-old boy from Northern Ireland, and a 16-year-old from Feltham.
The teens were arrested on suspicion of committing offences covered by the Computer Misuse Act, and were later released on bail.
It’s certainly an interesting case, and from the way TalkTalk has acted – it could possibly go even deeper than this. With them already proving they are fully capable of covering up what really happened (at least for a limited time period).
I expect much more news to be cropping up over this in the coming months, if you want to see an absolute train wreck, just watch these:
Source: Security Week