The TalkTalk aftermath: Social engineering and empty bank accounts

The company says not enough data was stolen for customer bank accounts to be affected -- so why are people finding their accounts cleaned out?
Written by Charlie Osborne, Contributing Writer

TalkTalk customers caught up in the cyberattack are finding themselves the target of sophisticated social engineering campaigns tailored with TalkTalk data to empty their bank accounts, reports suggest.

This month, a cyberattack which struck UK telecoms provider TalkTalk has potentially hit up to four million customers. Details on how the data breach took place are still sketchy, but the firm says that customers' name, address, date of birth, email address, telephone number, account information, credit card, and bank account data -- albeit incomplete details -- may have been accessed.

TalkTalk does not believe information stolen from its systems would lead to financial harm to its customers. But while the information might not lead to widespread pilfering of bank accounts in a traditional sense, customers are losing out in other ways -- through the clever use of social engineering based on the stolen customer information.

The BBC reports that a number of people are saying their bank accounts are being cleared out, even though data stolen from TalkTalk -- such as bank account numbers and sort codes -- could not be used to access these funds alone. Instead, it appears that cybercriminals possessing this data are calling victims, armed with this information, in order to trick them into handing over additional banking details which can be used to pilfer funds.

Social engineering can be found in many forms and guises. From the man who wears a UV vest and pretends to be a worker in order to access a corporate building to the scammer who calls you pretending your computer "has a virus" and as Microsoft tech support he can clear it -- in return for a fee -- it only takes a small amount of data for criminals to dupe victims into willingly handing over something more valuable.

In TalkTalk's case, social engineering is an issue -- but it's unlikely everyone will be targeted by this scam, simply due to the time required. However, customers are also reporting that hackers are using their passwords, originally found on TalkTalk but used elsewhere, to plunder their bank accounts through online services.

TalkTalk has said it will write to customers but will not call individually -- but reaching so many customers, as well as making them aware of what social engineering is and the risks associated with it is not a small task.

On Sunday, TalkTalk said cybersecurity defense firm BAE Systems has been hired to investigate the cyberattack. The company also admitted it had received a ransom demand from the group behind the hack, and according to security expert Brian Krebs, the ransom was for £80,000 ($120,000) to stop the data being leaked to the Web.

It now appears to be too late to stem the spread. Within the Dark Web, data is being offered for sale from multiple sellers who prove they have the stolen information through samples. (ZDNet has not been able to verify the legitimacy of the data).

According to a TalkTalk support notification, not all data stolen by the cybercriminals was encrypted, and on Sunday, Harding said the company was under "no legal obligation" to encrypt sensitive customer data.

While these remarks aren't likely to do the telecoms firm any favors in the wake of the cyberattack, it is worth noting that the UK's 1998 Data Protection Act only implies that sensitive data should be protected with "appropriate technical and organizational measures," -- but there is no legal bind forcing firms to invest in encryption.

The telecoms provider has also faced criticism for charging customers hundreds of pounds if they wish to leave the service in the wake of the attack. According to TalkTalk CEO Dido Harding, waiving standard get-out regulations and fees right now would not work as it is "too early to know who has and hasn't been affected."

"But on an individual customer basis, of course we want to do what is right for our customers," Harding commented.

At the time of writing, TalkTalk's website is down. However, a spokesman said once an investigation by TalkTalk and BAE Systems is complete, the website will be up and running again as quickly as possible.

A hacker allegedly representing the hacktivist group LulzSec has claimed responsibility for a distributed denial-of-service (DDoS) attack which hit the ISP this week. While the hacker, dubbed AnonZor, says the group was not responsible for the information theft, they launched the DDoS attack to show LulzSec has taken itself out from retirement.

TalkTalk is offering customers one year of free credit monitoring -- but this token apology is not necessarily enough when faced with a group sophisticated enough to leverage social engineering against customers in order to rinse their bank accounts. Unfortunately, TalkTalk's cyberattack is now going to filter to the banking system and law enforcement which will need to work with customers duped by the criminals in an attempt to recover their lost funds.

How to protect your connected home and Internet of Things devices

Read on: Top picks

Editorial standards