TalkTalk customer bank details found through Google search

A Google query was all it took to find the data of 4,500 customers -- none of whom were informed about the leak.
Written by Charlie Osborne, Contributing Writer

TalkTalk has failed to tell 4,500 customers that their financial details were involved in a past data breach.

According to a BBC Watchdog investigation, it took nothing more than a quick Google search to find information belonging to 4,545 customers.

The data in question has not been connected to a new security incident. Rather, it relates to a data breach suffered by the ISP in 2015 which was described as a "sustained cyberattack." 

The publication says that the 4,545 customers impacted by the leak were told by TalkTalk that their details were not compromised. However, the BBC was able to find their full names, addresses, dates of birth, customer account numbers, telephone numbers, and financial information.

See also: Georgia Tech reveals data breach, 1.3 million records exposed

In total, during the 2015 cyberattack, the financial information of close to 157,000 customers was exposed, including account numbers and sort codes.

At the time, such security breaches could result in fines of up to £500,000 issued by the UK's Information Commissioner's Office (ICO) under the 1998 Data Protection Act (DPA).

TalkTalk was slammed with a record fine of £400,000 after the data watchdog found numerous failures and oversights in the telecoms provider's security practices.

Potential fines have now been raised to two percent of worldwide turnover or up to €10,000,000 under the new General Data Protection Regulation (GDPR) for similar data breaches.

The leaked information has likely been available online since 2015's security incident without the knowledge of its owners, an oversight that TalkTalk has called a "genuine error."

TechRepublic: Your data, stolen twice: Pirated phishing kit contains hidden backdoor

Impacted customers will receive a notice of the latest evidence of data exposure, alongside a written apology.

"A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident," TalkTalk told the BBC. "This was a genuine error and we have since written to all those impacted to apologize. 99.9 percent of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss."

CNET: Instagram website leaked phone numbers and emails for months, researcher says

Earlier this month, Canadian telecoms provider Freedom Mobile said an unsecured database exposed personal information belonging to roughly 15,000 customers. Researchers who reported the database said that the "totally unprotected" data cache contained information including names, addresses, IP addresses, and unencrypted financial data. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards