Over four million customers of UK mobile operator TalkTalk could have had their bank and credit card details stolen, after the company confirmed it suffered a 'significant and sustained' cyber attack.
A criminal investigation launched by the Metropolian Police's Cyber Crime Unit into the attack 'is ongoing', said the company in statement, 'but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details'.
The breach took place on Wednesday morning, but TalkTalk did not reveal it until late Thursday in a public statement, leading many customers to vent their anger on Twitter at not being informed first.
'@TalkTalkCare didn't contact me about this? Second time recently. How do I cancel mid contract? as you cant be trusted with my data,' ranted one Twitter user, @WhatTheBearSays.
What's worse, talking on the BBC's Today radio programme, TalkTalk chief executive Dido Harding said she 'couldn't confirm that the data has been encrypted'.
'Yes, I'm sorry,' she said, 'but that is exactly why I am on the airwaves this morning saying all of this, why we are giving all of our customers free credit monitoring for the course of the next years so that they can monitor if criminals are using that information to try and impersonate their identity.'
It's the third time this year that the group has suffered cyber security breaches – in August, Carphone Warehouse, the retailer which owns TalkTalk, was attacked, potentially leaking the personal details of 2.4 million customers.
And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names.
TalkTalk has released an incident guide on the help page of its website, which includes information on who to contact if you suspect unusual activity on your bank account.
Here's how the experts are reacting to this latest breach, its potential consequences, and the lessons for other businesses needing to protect their data.
Mark Rodbert, CEO, predictive identity analytics company Idax:
'Hacked for the third time in the last year, TalkTalk breaches are quickly becoming a regular event.
'In my view either TalkTalk's internal controls are completely inadequate, or someone with undue access to data has gone rogue.'
Andy Heather, VP EMEA, data security, HP Security:
'Immediately following any high profile cyber attack there are questions such as who, how and what – to a great extent this is immaterial. Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user's behalf.
'Many leading companies already employ format-preserving encryption to protect the data itself. The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers' personal information is now in the hands of cybercriminals.'
'The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.
'The value of this personal data to the cybercriminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.
'Encryption of data is essential to protect customer data not just when it is stored but throughout its entire life cycle, wherever it is, and however is used within an organisation this, along with a robust security stance is the only way to stop criminals profiting from stolen data.'
Nick Wilding, head of cyber resilience, best practise organisation AXELOS:
'The reality is that despite how much money, people, resources, and technology you apply to the cyber threat, you will never be bullet-proof. You will be breached at some time. No organisation, whatever size they are or whichever sector they operate in, is safe. While we do not know the cause of this latest incident, all boards must take the lead in setting the right ‘tone from the top’ to all staff, demonstrating that it has a real understanding of the key cyber risks and how they will respond to an attack.
'In addition organisations are missing a golden opportunity if they fail to take advantage of the most powerful force that can help protect their reputation, safeguard their information and keep customers close – their people. Employees need to understand the role they have in keeping their organisation’s most precious information secure – and they need to be actively involved and engaged in learning awareness programmes that use some of the latest learning techniques to avoid ‘ticking the compliance box’.'