TalkTalk has said that it has received an email demanding a ransom be paid, after it suffered a hack which has potentially put the details of up to four million customers at risk.
Speaking to the BBC, TalkTalk confirmed that it had suffered from a distributed denial-of-service (DDoS) attack that disrupted its website earlier this week. Last night the telecoms firm revealed that information such as customers’ names, addresses, phone numbers, dates of birth, and bank details could now be in the hands of hackers.
The Metropolitan Police’s cybercrime unit is investigating, and customers are being told to watch their bank accounts for unusual activity, and contact Action Fraud UK if they spot anything suspicious.
Earlier a message had been posted on Pastebin claiming to be from the attackers, including what was said to be customer data.
Of course, because TalkTalk has suffered a series of security breaches in the last year it’s hard for anyone on the outside to confirm that the data shared in the unverified Pastebin message is from the latest security breach, or if it is from the group who emailed TalkTalk.
Dido Harding, chief executive of Talk Talk, told the BBC that the email had demanded not just that a ransom be paid for the safe return of stolen data, but also to prevent further denial-of-service attacks.
“Yes, we have been contacted by - I don’t know whether it’s an individual or a group purporting to be the hacker. I personally received a contact from someone purporting - as I say, I don’t know whether they are or are not - to be the hacker, looking for money.”
Harding admitted that the company could have done more, but added that there is probably no company which couldn’t do more to protect its systems.
On the BBC News at One, TalkTalk’s CEO was quoted as saying that the company was unable to confirm what stolen data might have been encrypted - and which wasn’t.
Such uncertainty is not going to comfort customers I suspect.
If the attackers did attempt to blackmail TalkTalk it certainly wouldn’t be the first time that hackers have tried to extort money from the company it was attacking through a denial-of-service attack. If they had also managed to steal TalkTalk customer data then they are just turning the thumbscrews that little bit tighter…