Over four million customers of UK mobile operator TalkTalk could have had their bank and credit card details stolen, after the company confirmed it suffered a ‘significant and sustained’ cyber attack.

A criminal investigation launched by the Metropolitan Police’s Cyber Crime Unit into the attack ‘is ongoing’, said the company in statement, ‘but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details’.

The breach took place on Wednesday morning, but TalkTalk did not reveal it until late Thursday in a public statement, leading many customers to vent their anger on Twitter at not being informed first. 

What’s worse, talking on the BBC’s Today radio programme, TalkTalk chief executive Dido Harding said she ‘couldn’t confirm that the data has been encrypted’.

> See also: The three questions you should be asking about your online security

‘Yes, I’m sorry,’ she said, ‘but that is exactly why I am on the airwaves this morning saying all of this, why we are giving all of our customers free credit monitoring for the course of the next years so that they can monitor if criminals are using that information to try and impersonate their identity.’

It’s the third time this year that the group has suffered cyber security breaches – in August, Carphone Warehouse, the retailer which owns TalkTalk, was attacked, potentially leaking the personal details of 2.4 million customers. 

And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names.

TalkTalk has released an incident guide on the help page of its website, which includes information on who to contact if you suspect unusual activity on your bank account.

Here’s how the experts are reacting to this latest breach, its potential consequences, and the lessons for other businesses needing to protect their data.

Mark Rodbert, CEO, predictive identity analytics company Idax:

‘Hacked for the third time in the last year, TalkTalk breaches are quickly becoming a regular event. 

‘Unlike with Ashley Madison a few months back, the team at TalkTalk is suggesting that the breach is an external issue. Typically companies blame cybercriminals in order to quickly take the blame and pressure off of themselves. For breaches to happen three times in one year though, I’d be surprised if there wasn’t some sort of internal involvement either unwitting or deliberate. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue.

‘We’ve found that too many companies are failing to manage access to sensitive data. A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? To start with a better oversight of who has access to what information can go a long way to protecting sensitive information. This can be achieved with the right technology relatively quickly as well.

‘In my view either TalkTalk’s internal controls are completely inadequate, or someone with undue access to data has gone rogue.’

Michala Hart, head of channel strategy, cloud and network provider Exponential-e:

‘Once again, this latest attack shows that it¹s not a matter of if you’ll be hacked but when.

‘The real challenge is how quickly you can respond and recover. The first step is to prioritise end-to-end defence. Move the most critical systems off the internet and onto private networks and private clouds. This denies hackers a point of attack.

‘The next task is to address the need for more advanced threat detection and malware removal solutions that can automatically detect and respond to any future breaches. Finally, remember that communication in the event of an attack is absolutely vital to reassure consumers about the action that the brand is taking to regain their trust.

‘It’s important to remember that in a digital world, absolute security is a myth. As security evolves, so do hackers and the very flexibility in the software that we’ve come to embrace creates a problem. As complexity and connectedness increase, so do the avenues of attacks so all businesses need to be prepared.’

Andy Heather, VP EMEA, data security, HP Security:

‘Immediately following any high profile cyber attack there are questions such as who, how and what – to a great extent this is immaterial.  Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user’s behalf.

‘Many leading companies already employ format-preserving encryption to protect the data itself. The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers’ personal information is now in the hands of cybercriminals.’

> See also: Data encryption – what can enterprises learn from consumer tech?

‘The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.

‘The value of this personal data to the cybercriminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.

‘Encryption of data is essential to protect customer data not just when it is stored but throughout its entire life cycle, wherever it is, and however is used within an organisation this, along with a robust security stance is the only way to stop criminals profiting from stolen data.’

Nick Wilding, head of cyber resilience, best practise organisation AXELOS:

‘The reality is that despite how much money, people, resources, and technology you apply to the cyber threat, you will never be bullet-proof. You will be breached at some time. No organisation, whatever size they are or whichever sector they operate in, is safe. While we do not know the cause of this latest incident, all boards must take the lead in setting the right ‘tone from the top’ to all staff, demonstrating that it has a real understanding of the key cyber risks and how they will respond to an attack.

‘In addition organisations are missing a golden opportunity if they fail to take advantage of the most powerful force that can help protect their reputation, safeguard their information and keep customers close – their people. Employees need to understand the role they have in keeping their organisation’s most precious information secure – and they need to be actively involved and engaged in learning awareness programmes that use some of the latest learning techniques to avoid ‘ticking the compliance box’.’