TalkTalk had at least 11 separate serious vulnerabilities in its website and may have enticed criminals to target it after revealing security weaknesses in a public tweet two months ago, according to cyber security experts with detailed knowledge of the hack attack on the telecoms group.
Many of the vulnerabilities were widely known and discussed online several weeks before the attack took place. Some are still unresolved.
TalkTalk revealed last week that hackers had gained access to the personal and financial details of thousands of its customers, in an assault that raised questions about the sophistication of the company’s digital defences.
Cyber security experts and officials with close knowledge of the hack have told the Financial Times that TalkTalk failed to implement basic measures to make sure it was well protected from a determined hacker — even as news has emerged that the breach affected far fewer of the company’s customers than had originally been feared.
TalkTalk has now appointed PwC, the professional services firm, to carry out an independent investigation into whether the company could have done more to protect customers, as well as to determine how to shield them more effectively in future. The firm will report to the telecoms company’s non-executive director James Powell, who is also chief technology officer at Nielsen.
Chief executive Dido Harding said her team had worked “round the clock for eight days” to find out the extent of the attack as quickly as possible.
A defiant Ms Harding said that she had the support of the board and investors, who had encouraged her “to do right” about the cyber attack. “Investors have been extremely supportive of the business and me,” she said.
She rejected suggestions that TalkTalk’s cyber security was materially worse than other companies, saying that “if anything, it has dramatically improved in the last year”. Customer information can be found on any telecoms company on sites used by hackers in “three clicks”, she said.
“What we have done, unlike others, is been open and honest.”
A second teenager was arrested on Friday in London on suspicion of involvement in the incident, and another address was searched in Liverpool. A 15-year-old was arrested in Northern Ireland on Tuesday.
TalkTalk said in a statement it believed fewer than 21,000 bank account numbers and sort codes had been taken during the attack, although it warned that up to 1.2m customer email addresses, names and phone numbers had been exposed, which could lead to extensive scamming attempts.
Up to 28,000 obscured credit and debit card details and 15,000 customer dates of birth were also at risk of being used by criminals, it added.
Original estimates last week had suggested all 4m of the company’s customers could have been affected.
A senior government security official said the breach was nevertheless a result of “elementary” problems with the company’s outer layer of digital defences and was perpetrated by unsophisticated attackers. Many other British companies were equally exposed, they warned.
“The attack is an example of basic security guidelines being overlooked. This was a very simplistic route into the organisation,” said Levi Gundert at cyber threat intelligence firm Recorded Future. “Security to prevent an attack like this is the equivalent of locking your windows and your doors when you go out. And when it’s your website that’s targeted, that's like someone walking through your front door.”
Interest in TalkTalk as a possible target for hacking may have been piqued after one of the company’s customer service representatives tweeted information that indicated the company stored customer’s login credentials in an unencrypted format, sparking more than 2,400 responses on the social media site, according to Recorded Future.
Discussions about TalkTalk’s unencrypted databases and at least 11 so-called cross-site scripting vulnerabilities took place on online forums used by hackers weeks before the actual attack on the company was announced.
“New techniques for attack develop all the time, so TalkTalk continually updates and reviews our systems,” the company stated. “We work with world leading experts and make significant ongoing investment into cyber protection. We constantly run vulnerability checks using tools developed by cyber security experts and employ in-house white-hat hackers.”
The company said it had shared the bank details of those affected with the UK’s major banks to help protect customers’ accounts “in the highly unlikely event that a criminal attempts to defraud them”. It will contact customers directly when it has finished confirming all of those who were affected by the breach.
Government ministers have promised an inquiry into the hack after politicians launched scathing attacks against the company’s protection of customers.
TalkTalk is working with its security advisers, BAE Systems, to secure its website.
Additional reporting by Aliya Ram
Get alerts on TalkTalk Telecom Group PLC when a new story is published