Friday, 23 October 2015

TalkTalk Hacked (again) - Consumer Advice

A lot of TalkTalk customers have been contact with me today asking for my advice following TalkTalk's announcement of yet another major data breach.

The TalkTalk press release states "there is a chance that some of the following data may have been accessed:

Names
Addresses
Date of birth
Phone numbers
Email addresses
TalkTalk account information
Credit card details and/or bank details"

And given TalkTalk are unable to confirm whether any of this data was encrypted when assessed, if you are a TalkTalk customer you should take this statement seriously and assume your personal information, bank account and/or credit card details you held with TalkTalk are now in the hands of cyber criminals and fraudsters.

What to Do
In summary all TalkTalk customers must be extra vigilant in checking their bank and credit card accounts for fraudulent transactions, and for attempts of fraud by covert cyber criminals using their personal information against them.

Statement Checking
From this point on all TalkTalk customers should regularly check bank and credit card accounts shared with TalkTalk for fraudulent transactions. Transactions such as multiple mobile phone pay-as-you top-ups transactions, online casino and betting payments are common ways in which cyber criminal cash out on stolen account details. Even legitimate looking transactions with companies you know for low amounts need to be verified, as often criminals will test a stolen bank account or credit card by performing a transaction for a low amount before committing further fraud at a later date. Criminals tend to go for lower transaction amounts at first, as they tend to go under radar of some bank fraud detection systems. Some banks and credit card providers are better than others at detecting fraud, but it is important not rely on any bank or credit card company to detect the fraud for you, as they are far from 100% in their detection.

If you do find any fraudulent or even suspicious transactions, contact your bank or credit card company immediately. Do not report it to the Police, TalkTalk or the company for which the fraudulent transaction was made, only the bank and the credit card provider can take immediate steps like cancelling your card/account and reissuing new one, and they are best placed to investigate the fraud and are ultimately the party in a position to return your money, even if they can't get the cash back. Do not worry you will quickly get your money back as long as you have done nothing wrong.

Identity Theft
You may wish to consider registering yourself with a credit checking company to ensure no one is using your stolen personal information to take out finance in your name (identity theft). Expect to pay £10 to £15 a month for privilege, you never know TalkTalk might provide this service to you for free as way of an apology.

Beware of Phishing and Phone Scams
Criminals may use your stolen personal information against you, for example they could use your information to send you highly realistic and personally customised email, enticing or scaring you into visiting a compromised website, or opening an attachment which installs malware onto your computer or smart phone, or general messaging that attempts to harvest further personal and financial data from you. These targeted email scams are known as spear phishing in the cyber security industry, and can even originate from criminals that don't have your TalkTalk info, but are seeking to take advantage of the situation by impersonating TalkTalk, guessing you are a TalkTalk customer.

Beware of phone call scams where criminals use your stolen information to convince you the call is genuine, as we know TalkTalk customer phone numbers have also been compromised in this breach. These types of phone scam attacks are known as vishing attacks in the cyber industry. Always hang up on such calls and call the contact number on your bills and statements if you are concerned.

Passwords
The TalkTalk statement doesn't say that passwords were compromised in this breach, but I strongly advise to not take any chances and to change your TalkTalk password immediately. Also make sure you aren't using your old TalkTalk password with any of your other online accounts, especially your email account and bank/credit card online accounts.

Choose Who you Share Your Personal and Financial Information With
Consumers should always consider the “cyber security hygiene” of companies that they intend to trust with their personal and financial information before using them. This is the third data compromise TalkTalk has reported in the last 12 months, in my experience these types of cyber attacks aren't carried out elite master hackers, the real cause tends to be due to companies under investing in protecting your information properly. Indeed encrypting financial data is considered an industry security best practice, while encrypting debit/credit card data at rest is a fundamental requirement of the Payment Card Industry Data Security Standard (PCI DSS), which for the last 9 years is a security standard which all companies handling and storing debit/credit card data are suppose to comply with.