- Names and addresses
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Credit card and bank details
Dido Harding, chief executive, said: “TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations."
“We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here. As a precaution, we are contacting all our customers straight away with information, support and advice around yesterday’s attack.”
Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4's Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks.
Andy Heather, VP EMEA, HP Security – Data Security commented “Immediately following any high profile cyber attack there are questions such as who, how and what - to a great extent this is immaterial. Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user's behalf.
This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected. If data is left unprotected, it's not a matter of "if" it will be compromised - it's a matter of "when". Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.
Many leading companies already employ format-preserving encryption to protect the data itself. The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers' personal information is now in the hands of cyber criminals.
The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.
The value of this personal data to the cyber criminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.
Encryption of data is essential to protect customer data not just when it is stored but throughout its entire life cycle, wherever it is, and however is used within an organisation this, along with a robust security stance is the only way to stop criminals profiting from stolen data.“