TalkTalk website hacked:4m customer's data at risk

[Michael Browne]

Police are investigating a "significant and sustained cyber-attack" on the TalkTalk website, the UK company says.

 

The phone and broadband provider, which has over four million UK customers, said banking details and personal information could have been accessed.

 

TalkTalk said potentially all customers could be affected but it was too early to know what data had been stolen.

 

The Metropolitan Police said no-one had been arrested over Wednesday's attack but enquiries were ongoing.

 

TalkTalk said in a statement that a criminal investigation had been launched on Thursday.

It said there was a chance that some of the following customer data, not all of which was encrypted, had been accessed:

 

• Names and addresses
  
• Dates of birth
  
• Email addresses
  
• Telephone numbers
  
• TalkTalk account information
  
• Credit card and bank details
  

http://www.bbc.co.uk/news/uk-34611857

[Conniff]

So despite being hacked on previous occasions, they still haven't encrypted their stored information. Doesn't once bitten twice shy mean anything today.

[numbers666]

So despite being hacked on previous occasions, they still haven't encrypted their stored information. Doesn't once bitten twice shy mean anything today.

 

They would probably store the hash in the same db anyway.....

[silverfox1961]

Found out earlier that they have been breached TWICE before this one. The last time they got hacked, a [EDIT] phoned me however, I am no longer with Talk Talk and haven' been for over a year. Dido Harding also mentioned that TT had received a call from the (supposed) hackers demanding money.

 

What the hell are they doing with my data after I have left them. Do they still have my account details? Do they still have my Bank details?

 

I am with Santander and when I set up a new payee, I get a one time passcode to use BUT this doesn't happen when a company sets up a DD.

 

There had better be no activity on my account otherwise Talk Talk will be getting both barrels

[nicolee2931]

Does this 3rd data breach in 12 months consistute breach of contract? I'm sure this is a question many still under contract with TalkTalk will be asking themselves.

 

Basically I would have thought there would be sufficient grounds to prove a case of no confidence to protect personal data and remain with TalkTalk.

[sillygirl1]

I am taking the opportunity to leave Talk Talk early (I am apparently stuck with them until May next year) becaue of this. They don't have my bank details as I phone them up and pay by card...at least the only bank details they would have are very very old ones!

 

/////////////

[nicolee2931]

The only reason I ask is wouldn't TalkTalk need to issue a MAC code to allow a subscriber to leave and take the service elsewhere?

 

I'm not a TalkTalk subscriber, but is there anything in law that states these data breaches are breach of contract on TalkTalk's part to effectively protect the data of their customers. As I'm sure if TalkTalk wanted to retain a customer under contract they could do so by failing to disclose the required MAC code.

[nicolee2931]

My mistake you don't need a MAC for TalkTalk anyway and MAC's are no longer required as of June 2015.

 

But netherless could TalkTalk technically chase for the remainder of contract they perceive to remain? As technically they could report to CRA's as a default.

[sillygirl1]

MAC codes are covered by OFCOM and companies can be fined if they don't provide one in a certain length of time.

 

As for the mis-reporting to CRA's that is covered by law and the company could be taken to court and the ex-customer could get up to £1000 per month for the default - there is case law to support this but I can't remember which case - somebody on here will know.

[sillygirl1]

In the Talk Talk terms and conditions there is a clause that sates they will securely keep your data and only reveal it to relevant organisations. This clause could be deemed to have been breached.

[silverfox1961]

MAC codes are covered by OFCOM and companies can be fined if they don't provide one in a certain length of time.

 

As for the mis-reporting to CRA's that is covered by law and the company could be taken to court and the ex-customer could get up to £1000 per month for the default - there is case law to support this but I can't remember which case - somebody on here will know.

 

Sorry to correct you SG but it is per default not per month and that figure is likely to be the most a complainant could get depending on the seriousness of the default and the effect of it (higher apr credit card, refused mortgage)

[nicolee2931]

They seem to have covered themselves in 13.2, but I think it could be argued 3 data breaches in 12 months is excessive and also the contract is reasonably unfair.

 

13 OUR LIABILITY TO YOU

 

13.1 We’re only liable for losses that could reasonably be expected to occur when we entered into this agreement.

 

13.2 We’re not liable for:

 

(a) loss of data or information;

 

(b) business losses;

 

© loss of your time;

 

(d) problems caused by other network operators/providers of telecommunications services;

 

(e) losses caused by third party services or goods, content or viruses that you access through the services; or

 

(f) the failure of any alarm system that you try to run over our network or services.

 

13.3 Our total liability to you shall be limited to £5,000 for any one incident or series of related incidents.

 

13.4 Nothing in these terms excludes or limits our liability for anything we can’t exclude or limit by law. See paragraph 22 for further information about your rights.

 

 

But there is a term in the contract that TalkTalk will make every effort to secure your data in accordance with their Privacy Policy.

 

18 HOW WE USE YOUR INFORMATION

 

18.1 We take privacy very seriously. We’re committed to protecting and preserving any information you give to us and to being transparent about what information we hold and how we use it. We’ll only use your information in accordance with our Privacy Policy, which you agree to by ordering or using a service.

[Old Cogger]

end of the day the breach was their owned records they are libel in all respects and very heavy fine, 3 in one years says it all, trouble Regulators want money to register then hope to get away with no expense in suing!"

[obiter dictum]

Stick my ear in and opinion

 

Talk Talk own T&C cannot override statutory duty and statutory rights, that being the DPA 1998

 

Talk Talk will also owe you a duty of care as to Negligence and committing a civil wrong (Tort)

 

If this data breach cause you harm and you suffer because of it then Talk Talk will be liable for its actions

 

My own opinion will be Caparo v. Dickman [1990] covers this nicely

[sillygirl1]

Thanks Silverfox, I knew it was covered by law - brain getting into holiday mode now!

[sillygirl1]

Just for info Talk Talk are offering 'free credit monitoring' via Noddle - which is free anyway! I'm already on Noddle and they don't record their debts on there in the first place. Nothing in place which says I am a Talk Talk customer recorded there.

[huggy41]

just to make it clear on the mac code . as i now work for the biggest telecom provider mac codes are no longer required by the new isp provider.

[riverstyx]

Just for info Talk Talk are offering 'free credit monitoring' via Noddle - which is free anyway! I'm already on Noddle and they don't record their debts on there in the first place. Nothing in place which says I am a Talk Talk customer recorded there.

 

The basic noddle service is free, but the credit 'monitoring' subscription bit isn't (I think it's 20 quid a year). The code they have sent out seems to be generic rather than tied to a particular account or a single use, I've just used it on my noddle account and on my girlfriends noddle account to activate the monitoring service on both without any issues.

[Human Writes]

Stick my ear in and opinion

 

Talk Talk own T&C cannot override statutory duty and statutory rights, that being the DPA 1998

 

Talk Talk will also owe you a duty of care as to Negligence and committing a civil wrong (Tort)

 

If this data breach cause you harm and you suffer because of it then Talk Talk will be liable for its actions

 

My own opinion will be Caparo v. Dickman [1990] covers this nicely

 

I think even if you did not suffer direct personal harm you could still argue that Talk Talk are in breach of contract, because they have failed to to provide to service to every customer with reasonable skill and care.

 

They have been grossly negligent having failed to encrypt customers personal details, the DPA requires that they take "reasonable technical and organisational measures" to protect customers data, this is apparently the third cyber attack Talk Talk have suffered in less than 12 months and they are still not encrypting data on their website. The DPA has been statute since 1998, this is 2015. Literally unreal.

 

The sections of their contract ref data breach would definitely get set aside as an unfair term in a consumer contract, they are trying to use their contract to set aside their legal duties under statute to their consumers, which wouldn't wash with a judge or an ombudsman. Compensation under the DPA is definitely out as you have to be able to demonstrate loss, but if you stuck to simply securing a release from contract without charge due to their breach of contract you should be able to secure cancellation regardless of their public statements that they will not cancel the contract.

 

If I was still with them, I would make a complaint, when they refuse to cancel contract take the matter to arbitration (at their cost of £500+), and then onto the courts if you still don't get any joy, there is no way an impartial third party would not take the view that they have failed in their duty of care and are in breach of contract.

[microbar]

Subscribed.

[Damian Bee]

Everybody's Talk Talking about them. Isn't it just the next instalment in a current wave of (desperate) marketing? Embedding products in news stories. Raising profile. Channel 4 have done similar.

[Conniff]

It would seem that Talk Talk CEO Dido (your all peasants and i'm a CEO) Harding has gathered her team together and asked for someone to come up with a 'get out clause' that means you will have to pay a penalty to end your contract.

 

The wording, coming from her own lips, is:

 

"In the unlikely event that money is stolen from a customer’s bank account as

a direct result of the cyber attack (rather than as a result of any information

given out by a customer) then as a gesture of goodwill, on a case by case basis,

we will waive termination fees."

 

I would think they are feeling very smug with that which means if you are conned by a scªmmer on the phone and you gave them any details, (even the colour of your knickers), then it is your own fault and you will have to pay us to leave.

And that, of course, is what TalkTalk is betting will prevent a flood of defrauded users from leaving their contract without paying a termination fee.

 

The way these scªms are operated is that you receive a phone call (because the scªmmers stole your phone number details from TalkTalk), where they convince you that they're calling from TalkTalk (because they know your name, date of birth and bank account information - all stolen from TalkTalk). Maybe they even confirm the last four digits of your credit card (amongst the payment information stolen from TalkTalk).

 

When will these companies take charge of themselves and treat their customers fairly.

 

I hope this brings them down, they have no interest in you or your hard earned pennies as long as their £millions is ok.

Edited November 3, 2015 by Conniff

[silverfox1961]

Spot on Conniff.

 

Big companies work to increase the share dividend they pay out to keep the industry happy, Not the consumer who they treat as fodder for the shareholders.

 

They spend too much time navel gazing to see that if they treat customers fairly in the first place, the word spreads slowly however, if they treat customers badly (as in this case) the word spreads a damn sight faster.

 

Vodafone is another example of poor customer service. Ms Harding ought to take that on board, bring the call centres back to the UK and treat people how they would expect to be treated.