​TalkTalk security breach fuels bogus tech-support scam

Phoney tech support fraudsters are using TalkTalk's stolen client database to convince customers into handing over online banking credentials.

Fraudsters are targeting customers of ISP TalkTalk using customer information stolen from the company's systems.

TalkTalk has warned its customers to beware of scammers after an uptick in complaints about fraudsters are posing as the company's own technical support staff in order to trick users into revealing their banking credentials.

"At the end of last year, we saw an increase in malicious scammers preying on our customers. In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number as well as their phone number," a TalkTalk spokesman told ZDNet.

Following those complaints, the company's investigation revealed that its internal systems had been "illegally accessed in violation of our security procedures".

Special Feature

Security and Privacy: New Challenges

As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy.

Read More

"We have now become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," the spokesman said.

The company isn't saying exactly how the attackers gained access; however, the BBC reported that the attackers reached TalkTalk's internal systems via a third-party that had access to its network. TalkTalk says it has commenced legal proceedings and is working with UK privacy watchdog, the ICO.

The Guardian reported last December that there were suspicions that the data came from a call centre used by TalkTalk in India.

"We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected. We have taken serious steps to remedy this and we are continuing to work with the ICO," Talk Talk's spokesman said.

Details compromised included names, home addresses, phone numbers, and TalkTalk account numbers. TalkTalk said bank and credit card details, as well as dates of birth, were encrypted on its system.

"We believe that the scammers may be using the information they have illegally obtained to trick people into thinking they are genuine TalkTalk callers, and encouraging them to hand over more detailed information, such as their bank details," TalkTalk warns on its scam alert page it's currently directing concerned customers to.

The description fits with the story of one TalkTalk customer who fell victim to scammers posing as the company's anti-fraud team.

The fraudsters reportedly told the man that hackers were trying to access his internet account via his router. To gain the victim's trust, the caller also quoted the customer's name and other TalkTalk account details. The man was then led through a typical IT support phone scam routine, which involved him installing remote access software on his laptop, which raised alarms (files with red crosses) for non-existent threats. Eventually he was convinced to click on his bank's website and ultimately send the fraudsters the one time password that he'd received on his mobile phone that was required to access his account. The victim lost £2,815 as a result of the attack.

Read more on security