The telecoms company TalkTalk has received a ransom demand from a person claiming to be behind a cyber-attack that could have resulted in the theft of personal information from millions of customers.
The attack exposed the latest security failure for the company, which was forced to admit it had not encrypted some personal details of customers. The hackers appeared to have stolen details that amount to a full toolkit for fraud including names, addresses and bank account information.
The ransom was understood to have been made in online currency bitcoin. A TalkTalk spokeswoman said: “We can confirm we were contacted by someone claiming to be responsible and seeking payment.”
The company, which saw its share price fall nearly 10 per cent in morning trading before rallying, said it could have done more “in hindsight” to protect private information. However, it emerged on 23 October that it has already been named as the company responsible for Europe’s biggest known data breach in the first six months of the year. The breach was given an 8.8 out of 10 rating of seriousness in a global index maintained by a security company, with a score above 9 considered “catastrophic”.
TalkTalk also admitted in August that some personal details had not been encrypted after another breach affecting nearly 500,000 customers. Encrypting data is seen as standard industry practice as a second line of defence against fraud as the expanding area of crime means data breaches for companies are inevitable.
The Information Commissioner, Christopher Graham, is also investigating and criticised the company for failing to tell his office about the breach until the following day. He said the lack of encryption could lead to a bigger fine, and cited the case of Sony Corporation, which had to pay £200,000 after hackers uncovered personal details of Sony Playstation users.
Chief executive Dido Harding said the “awful truth” was she did not know the extent of unencrypted data. “With the benefit of hindsight, were we doing enough? Well, you’ve got to say that we weren’t and obviously we will be looking back and reviewing that extremely seriously,” she said.
The identity of the attackers was unknown on 23 October but a group calling itself Th3 W3b 0f H4r4m [the web of haram] released e-mail details, addresses and bank account data of people it claimed were victims of the breach.
The Independent spoke to a number of those whose emails were listed who confirmed they were either current or former customers. “I’m very concerned,” said Alwyn Roberts, 75, when told his email was among those published online. “By the looks of it, they [Talk Talk] haven’t done anything to protect me.”
The attackers made unspecific threats against the West and warned that “your hands will be covered in blood”. It signed off: “Prepare, secure your websites, secure your borders, secure your country, but jihad from us is coming.”
Ewan Lawson, a cybersecurity expert at the Royal United Services Institute, said the message was similar to one from attackers who identified themselves as the “CyberCaliphate”, which knocked France’s TV5Monde channel off air for 18 hours in April.
Those behind the attack were initially thought to be hackers ideologically aligned to Isis but experts at security company FireEye later identified them as being from Russia, based on analysis of the computer code used. It identified the attackers as APT28, a group of hackers and Kremlin sympathisers who could have been supplied with the tools to carry out the job.
“Elements within the Russian state system are providing these tools to hacker/criminal groups and saying: ‘go off and cause a bit of chaos in the West’,” Mr Lawson said. “The boundaries that were artificially drawn around these groups have broken down: what’s hacktivists, what’s a criminal, what’s a state actor?”
A swift claim of responsibility is common practice by cyber criminals after a major data breach to advertise the potential sale of credit card information, which quickly loses its value when customers alert their bank, said Jens Monrad, of FireEye.
He said it was not yet clear if the French and TalkTalk attacks were linked, but could not rule out collaboration between criminals and ideologically driven hackers. Scotland Yard said it has launched an investigation alongside the National Crime Agency but no arrests have been made.
Official figures released last week on the scale of cyber crime suggested that on average one in 22 people has fallen victim to cyber crime. The head of Scotland Yard, Sir Bernard Hogan-Howe, has admitted that police are just “skimming the surface”. His force has created a squad of around 300 officers dedicated to the issue, he said, with the number likely to expand to 500 over the coming year.
Q&A: How Do I protect myself from cyber fraud?
Q | What should I do to prevent myself becoming a victim of cyber fraud?
A | If you’re a TalkTalk customer, change your password at once and if you use the same password for other firms or accounts, change that too. To be as safe as possible, you should have different passwords for every account you have to stop fraudsters being able to access all your accounts just by stealing details from one. You should also change passwords regularly. It’s also important to have security software on your computers and devices to protect your data from hackers, and keep it updated to repel the latest attacks.
Q | What if TalkTalk or another company rings me up to warn of a data breach?
A | Put the phone down and contact the company separately using normal methods. It’s almost certainly a fraudster preying on current fears to try to steal your details. Typical tricks involve claiming there’s been fraud on your bank account and then telling you that you need to act urgently to be safe. They’ll try to get you to reveal your personal details or to transfer money into what they claim is a “safe account”. If you fall for the trick, they’ll quickly siphon off your money. They may even send a courier to pick up your plastic cards “for safety”, but that will be part of the fraud, too.
Q | What if it’s the police?
A | The police, banks, communications companies or any other official body will never ask for your online banking password or other personal details and will certainly not ask you to transfer money to a new account or hand over plastic cards to a courier.
Q | What happens if I do become a victim?
A | As long as you’ve been sensible the law protects you if you become a fraud victim – and that includes a hacked bank account. But you may not get your money back if you have been reckless by, for example, writing your PIN on your card or handing it over to a crook. You also need to report any fraud promptly, so it’s important to keep a close eye on all your accounts and investigate any unexpected activity. If you do notice anything odd or think you may have been hacked, report it to Action Fraud on actionfraud.police.uk. You can find more advice at getsafeonline.org and cyberstreetwise.com
Simon Read - Personal Finance Editor