British telecom company TalkTalk has suffered a cyber-attack, and this one might affect millions of its users, the company said.
According to a report by Reuters, the attack was "significant and sustained”, and might have resulted in the theft of private data from all of the broadband supplier's more than 4 million customers.
"Investigation is ongoing but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details," the company said in a statement late on Thursday.
A criminal investigation had been launched, but according to the BBC, no arrests have been made so far.
It is still too early to know if any (and which) data had been stolen, said the telecom’s chief executive officer Dido Harding, but the company still decided to contact all customers, as a precautionary measure.
"Potentially this could affect all of our customers. I don't know for certain, which is why we are taking the precaution of reaching out to everyone," she told the BBC. Ms Harding added: "We brought down all our websites [on Wednesday] lunchtime and have spent the last 24 hours investigating with the Met Police.
A spokeswoman said Wednesday's attack was the first time TalkTalk's own servers had been subjected to a sustained external attack.
This is the third time TalkTalk was the victim of a cyber-attack in the past 12 months. The latest breach happened in August, when its mobile sales site had been targeted and personal data breached.
Dave Palmer, Director of Technology at Darktrace commented: "This is the third time this year that, despite all of its investment in cyber security, TalkTalk has suffered a data breach. This proves that bread-and-butter defences that protect the perimeter are not sufficient when faced with a situation where threats of all types are often already on the inside. Companies need to ask themselves if they would be capable of spotting the early signs of an attack like this one. Ultimately, it comes down to visibility. Most organisations are inevitably infiltrated to some extent.
"So if you lack an 'immune system' style approach of detecting early indicators, you can fall fast into the same debilitating situation as this one. This is another shot of reality, which should provoke companies to boost their own internal defences and minimise the risk of this kind of attack happening again."
Commenting on the breach, Jim Gumbley from ThoughtWorks says it's the company's obligation to protect the data.
“TalkTalk's CEO has focused on the denial of service, i.e. their website getting bombarded with traffic. This is usually a form of vandalism with the effect of temporarily making a website unavailable. However the data theft is much more significant for Talk Talk's business as it will mean their customers have the inconvenience of changing their passwords and also could be vulnerable to identify theft.
Encryption is just the digital equivalent of locks and keys and it is certainly possible to know if data is encrypted or not. That said, in a firm that has grown rapidly by acquisition with a lot of data, it is not impossible that the company had lost track of whether data was encrypted or not.
Companies have a responsibility to ensure data is protected appropriately from theft. When I speak to clients I always recommend that they build up a threat model to help them invest appropriately in protections before data theft can occur, and to minimize the impact if it does.”