TalkTalk has admitted that it didn’t protect customers’ data with encryption, after a massive hack has led to the potential theft of 4 million UK customers’ details.
Encryption is a method of scrambling data so that it can only be understood by someone with the correct key or password, and is considered standard practice in safeguarding sensitive data.
But in an FAQ posted online after the hack, TalkTalk says that “not all of our data was encrypted.”
Dido Harding, CEO of TalkTalk, told the BBC that she “can’t confirm” that customer data was encrypted.
The fact that TalkTalk didn’t use encryption to protect customers’ details becomes all the more worrying when you remember that this is the third cyberattack the company has announced in the last 12 months.
As Tom Cheshire, technology correspondent for Sky News, puts it:
“We have seen with the evolving cyberthreat landscape today that you need to enforce these types of security measures today,” Jens Monrad, a systems engineer for cybersecurity company FireEye told Business Insider. “Because the reality is it’s probably not a question of if you’ll be breached, it’s a question of when.”
Someone claiming to be the hacker has posted what appears to be a small dump of TalkTalk customer data online. It’s difficult to verify it conclusively, but BuzzFeed has spoken to one individual included in the dump who has confirmed he was a TalkTalk customer.
This data dump shows the customer’s name, address, telephone number and redacted (by the hacker) bank account details — suggesting that, if legitimate, even banking details may not have been encrypted properly. This would be a huge security screw-up, and put all 4 million customers at risk of fraud.
Even if bank account details were encrypted, that other data wasn’t puts users at increased risk of scams and criminal activity.
The Metropolitan police is now investigating, and Harding says the company is “very sorry” for the hack.
Business Insider Emails & Alerts
Site highlights each day to your inbox.