The last week’s news came out direct from TalkTalk was a personal shock to me as I am also one of their customer and now I have been a victim of this cyber attack. The first thing I wanted to do is to change my password for TalkTalk account but its website is still not available to do so. The most worrying thing is that there is still no answer to a fundamental questions: that what data was breached and if it was encrypted?
In an update, TalkTalk said the amount of financial data stolen from its systems was “materially lower” than expected, and said that the attack was on its public-facing website and not its core systems.
The data which may have been breached includes:
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Credit card details and/or bank details
Now, believing in that my details held with TalkTalk have been compromised, I have taken below precautionary measures and would suggest those who are affected to consider doing so:
- Change passwords:
As said above, TalkTalk website is still not available but when it do so, please change your TalkTalk account password.
If same password is also used to protect another online account, for example, banking, social media or any other essential service, passwords should also be changed.
- Answering phone calls/emails:
Be careful, if you receive a phone call from your bank or email asking to reveal any passwords or banking details. TalkTalk and banks repeatedly said that they will never ask personal passwords or PIN’s to be revealed over the phone or via email.
- Check your bank/credit card accounts:
Watch your bank accounts in case of any unexpected activity and report it to your bank immediately.
- Credit monitoring.
I received an email from TalkTalk with TT231 code, which can be used at Noddle to monitor your file for the next 12 months free of cost. More details are via this link
We as consumers expect from relevant authorities who are investigating this breach to get answers to these fundamental questions for us:
- Have TalkTalk done their required due diligence to protect sensitive data?
- Was that data stored encrypted?
- Was encryption keys were protected?
- When their website was last pen tested, by whom and what was the current status of any open issues at the time of breach?
- Was they PCI compliant at the time of breach?
- It appears it is not first time their website was attached, did they acted upon on recommendations resulted from last breach?