TalkTalk Breach (2015)

Published: 01 March 2020

Breach Summary

TalkTalk suffered a series of security issues in 2015. Right from the start of the year people were discussing an increased number of scam calls[1]. On 26 February 2015 TalkTalk emailed customers to inform them of a data breach in which account numbers, addresses, and phone numbers were taken. The email detailed that a third-party contractor was believed to be responsible, and that TalkTalk was taking legal action against them[2]. It was believed that “a few thousand” customers were affected[3].

On 10 August 2017, TalkTalk were fined again for failing to adequately protect personal data “because it allowed staff to have access to large quantities of customer’s data” which “left the data open to exploitation by rogue employees”[10].

However, this was not the only breach announcement TalkTalk dealt with in 2015. In October 2015 TalkTalk released a statement on their website that they had suffered a “significant and sustained cyberattack” on 21 October 2015. It stated that an investigation was ongoing but that data may have been stolen[4]. On 22 October 2015 TalkTalk reported the data breach to the ICO[11].

The ICO stated that the attack took place between 15 October and 21 October 2015, and that 156,959 customers information was stolen, including names, addresses, dates of birth, phone numbers, and email addresses.[5] Plus 15,656 band account details and sort codes. The ICO statement said “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”[5] The actual vulnerable system was described as part of Tiscali’s infrastructure – which TalkTalk had acquired in 2009.

Two other SQL injection attacks were noted by the ICO, one marked as “successful” taking place on 17 July 2015 and another between 2 September and 3 September 2015[7].

The vulnerability was SQL Injection, however the MySQL database was noted, by the ICO, as being vulnerable to a vulnerability from 2012 which allowed access restrictions to be bypassed[7].

On 3 November 2015 the Culture, Media and Sport Committee launches an inquiry into the circumstances surrounding the breach, although the committee report wasn’t published until June 2016[12]. On 15 December 2015 the (now former) CEO Dido Harding gives evidence.[11][13] During this evidence Harding stated “there has only been one successful attack on our systems”, this is later contradicted by the ICO.[11]

As part of this evidence Harding stated that TalkTalk “was going through the accreditation process to the Cyber Essentials programme.”[13] The inquiry report stated that TalkTalk had reported 14 data breaches to the ICO over the two years previous to the breach, and that the ICO’s enforcement section of 30 staff were dealing with approximately 1,000 cases at any given time, plus 200,000 “public concerns” per year.[13]

Interestingly, the report states “a portion of CEO compensation should be linkted to effective cyber security, in a way to be decided by the Board” and that “it would be highly unusual for the CEO of a company to have to resign over an attack.” Which is interesting when considering the Target Breach of 2013 – the Target Breach story broke on 18 December 2013 and the CEO resigned on 5 May 2014; that’s 4 months and 17 days after the breach.

TalkTalk’s board took the decision to go public with the breach within a day of finding out about the breach, although it took two weeks to determine how many customers were affected[13].

In March 2016, TalkTalk announced that it would introduce voice biometric passwords for customers to access their accounts; they were the first UK ISP to do so[13][15][25]. [Editors note: the WSJ reported that a company were scammed, in March 2019, through a computer generated fake voice call]

On 5 October 2016, TalkTalk was fined £400,000 for their October 2015 breach[6]. This was the highest fine that had been given at the time, the previous highest being £350,000 issued against Prodial, a SPAM calling company[8][9].

On 13th December 2016, a youth was sentenced to a 12-month youth rehabilitation order over the breach, after he previously admitted seven offences related to hacking[20], he was 16 at the time of the offence[23]. The Register[21][22], links this with Elliot Guntun, who later plead guilty to breaching a Sexual Harm Prevention Order (SPHO) – The Register reports, the “Police said they had found indecent images of children on the then 16 year old’s devices”.

Further, the BBC report that Gunton is accused of computer fraud involving $800,000, in the US, and is therefore facing charges of wire fraud and aggregated identity theft which could result in a 20 year sentence[23]. Following this his parents have been charged due to helping him transfer cryptocurrency, they received a five-month and three-month jail sentence, both suspended for a year.[24]

On 19th November 2018, Matthew Hanley and Connor Allsopp were jailed for 12 months and 8 months respectively[17] for their part in the breach.

On 10th June 2019, Daniel Kelly, after pleading guilty to 11 hacking-related offences in 2016, was sentenced to four years detention in a young offender’s institute. Kelley was 18 years old at the time of his arrest[18]. He not only took part in the TalkTalk attack but also reportedly attempted to blackmail former CEO Dido Harding, demanding the equivalent of £80,000 in bitcoin[16], although the Crown Prosecution Service dropped the blackmail charge[19].

Breach Timeline

2009Tiscali infrastructure is acquired, which is later breached in October 2015
26 February 2015 TalkTalk announces a breach
17 July 2015 A successful SQL Injection attack affects TalkTalk
2 September 2015 Another SQL Injection attack affects TalkTalk
15 October 2015 Another successful SQL Injection attack affects TakTalk
21 October 2015 TalkTalk announces a breach
22 October 2015TalkTalk reports the breach to the ICO
3 November 2015Culture, Media and Sport Committee launches an enquiry into the breach
15 December 2015Former CEO, Dido Harding, delivers oral evidence to the Committee
17 March 2016TalkTalk intrduces voice biometrics
20 June 2016The Committee report is published
5 October 2016TalkTalk fined £400,000 by the ICO
10 August 2017TalkTalk fined £100,000 by the ICO

References

  1. https://www.actionfraud.police.uk/news/millions-of-talktalk-customers-vulnerable-to-fraud-after-data-breach
  2. https://www.theguardian.com/money/2015/feb/27/threat-to-millions-of-talktalk-customers
  3. https://www.bbc.co.uk/news/technology-31656613
  4. https://web.archive.org/web/20151022211310/http://help2.talktalk.co.uk/oct22incident
  5. https://web.archive.org/web/20161104155502/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/
  6. https://web.archive.org/web/20170301160800/https://ico.org.uk/action-weve-taken/enforcement/talktalk-telecom-group-plc-mpn/
  7. https://web.archive.org/web/20170301160814/https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.pdf
  8. https://www.theguardian.com/business/2016/oct/05/talktalk-hit-with-record-400k-fine-over-cyber-attack#maincontent
  9. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/05/record-fine-for-firm-behind-nearly-100-million-nuisance-calls/
  10. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/08/personal-data-belonging-to-up-to-21-000-talktalk-customers-could-have-been-used-for-scams-and-fraud/#
  11. https://ico.org.uk/about-the-ico/news-and-events/talktalk-cyber-attack-how-the-ico-investigation-unfolded/
  12. https://www.parliament.uk/business/committees/committees-a-z/commons-select/culture-media-and-sport-committee/news-parliament-2015/cyber-security-report-publication-announcement-16-17/
  13. https://publications.parliament.uk/pa/cm201617/cmselect/cmcumeds/148/148.pdf
  14. http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/culture-media-and-sport-committee/cyber-security-protection-of-personal-data-online/oral/26312.html
  15. https://www.wired.co.uk/article/talktalk-voice-recognition-password-security
  16. https://www.bbc.co.uk/news/uk-wales-48587207
  17. https://www.theregister.co.uk/2018/11/20/talktalk_pair_jailed/
  18. https://www.theregister.co.uk/2019/06/10/talktalk_hacker_jailed/
  19. https://www.bbc.co.uk/news/uk-wales-47025847
  20. https://www.bbc.co.uk/news/uk-england-norfolk-38304392
  21. https://www.theregister.co.uk/2016/11/15/talktalk_h1_fy2017_results_hacker_teen_pleads_guilty/
  22. https://www.theregister.co.uk/2019/08/19/elliott_gunton_400k_repay_instagram_hacking_telstra/
  23. https://www.bbc.co.uk/news/uk-england-norfolk-49815601
  24. https://www.bbc.co.uk/news/uk-england-norfolk-49878686
  25. https://www.talktalkgroup.com/article/talktalkgroup/TalkTalk-Group–moved-articles-/2016/TalkTalk-introduces-voice-biometrics