TalkTalk offer credit monitoring after cyber attack
TALKTALK say they're arranging for all of their customers to be given a year's free credit monitoring, following a major cyber attack on their website this week.
The offer is a gesture towards helping customers keep their identities secure after what will be the third data breach within the year for some of them.
It also underlines the seriousness of Wednesday's attack, which saw TalkTalk taking down their website in an effort to prevent further access to any data.
The ISP say they'll be getting in touch with all four million of their customers to let them know what's happened, what they can do to protect themselves, and how to take advantage of the free credit monitoring.
It's thought that TalkTalk were subjected to what's called a "distributed denial of service" (DDOS) attack, in which a website is hit by so much traffic it can't cope.
But these kinds of attacks don't represent any danger to customer data - so there are suggestions that the DDOS attack was intended as a distraction while the data was accessed.
On Thursday evening TalkTalk confirmed that the Metropolitan Police's Cyber Crime Unit were investigating the attack, saying:
"We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed."
It's too early, they say, to know just how much customer data was accessed, but they've said it's possible that all their customers could be affected somehow.
The information they say may have been lifted includes:
- Names and addresses
- Email addresses and contact numbers
- Dates of birth
- TalkTalk account information
- Bank and credit card details
What's more, it's not clear how much of the above information was encrypted - which would at least make it much more difficult for those accessing it to do anything with it.
Three times unlucky
As well as being a source of concern for us as customers, that detail could be of interest to the Information Commissioner's Office (ICO).
They say they were made aware of the attack on Thursday, and that they'll be "making enquiries and liaising with the Police".
TalkTalk are already on the ICO's radar after a data breach late last year.
The ISP started investigating that breach after they noticed an increase in complaints about suspicious calls from people claiming to work for them, but it took until February for the ISP to confirm that a breach had taken place.
The ICO are still investigating that incident, and should they find TalkTalk to have been at fault they have the power to issue a fine of up to £500,000.
Then in August, TalkTalk's mobile phone customers were affected by a "sophisticated cyber attack" on Carphone Warehouse.
TalkTalk have been much quicker off the mark letting people know something has happened this time - but it still wasn't soon enough for some.
When they issued their statement on Thursday night, the ISP said they'd be contacting their customers by email and letter "straight away".
But because of the timing of that statement, many TalkTalk customers weren't made aware of the depth of the problems until they saw Friday morning's headlines.
At the time the site first went down on Wednesday, some customers were also experiencing a broadband outage - and while the ISP said the two incidents weren't connected, they didn't say what the problem with the site was.
That's led to criticism from many customers, upset about how long it took TalkTalk to alert them to a possible security issue, and that they had to find out from the news or social media.
So as well as promising to contact their customers individually with full details, "support and advice", TalkTalk now say they're "working with the media to ensure customers get the information they need as quickly as possible".
They've also been in touch with "the major banks" to ask them to monitor their customers' accounts for suspicious activity.
What can I do?
While the rest of the TalkTalk site is back up and running again, at the time of writing, the sales and My Account sections are still offline.
That means that customers can't log in to change their passwords just yet, although TalkTalk say they'll be encouraging people to do so as soon as possible.
The real headache for many people will be all the other passwords for all their other accounts that will need to be changed.
We know we shouldn't do it, but many of us use variations of the same password for numerous accounts - leaving us vulnerable to further attacks.
This is where the offer of a year's free credit monitoring may well help.
It's not clear which of the credit reference agencies TalkTalk will organise this with - and there are differences between them, as we explain here - but they are pointing people in the direction of the free to use service at Noddle in the meantime.
Having free access to a credit monitoring service won't help prevent any cases of identity theft that result from the TalkTalk breach, but it does give us a way to check what applications or activities are being carried out under our identities.
Anyone who does notice suspicious or unauthorised activity on an account should contact the provider straight away, and also report it to Action Fraud, either online or by calling 0300 123 2040, making sure to get a police crime reference number.