Post-hack, TalkTalk treats defrauded customers poorly

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley
TalkTalk's musical hack warning | Graham Cluley

There’s lots that can be said, and has been said, about the hack of UK telecoms firm TalkTalk:

  • That it should never have happened – because any corporate website worth its salt should be hardened against SQL injection attacks.
  • That TalkTalk should have taken security more seriously – after the two other security breaches its customers suffered in the last 12 months.
  • That TalkTalk CEO Dido Harding was in no position to criticise her competitors’ security, claiming TalkTalk was “head and shoulders” better, while many of her customers were still in the dark as to whether they were at risk.
  • That TalkTalk CEO Dido Harding’s debatable claim that the company was under no obligation to encrypt credit card data, ignores the company’s moral obligation to protect customers’ personal information.
  • That the company is damn lucky that only a fraction of its four million customers had their details exposed – because it doesn’t appear to be because of any skill on TalkTalk’s side.

Full details on how you can apply for a termination fee waiver from TalkTalk have been published on its website.

Talk talk waiver

Sign up to our free newsletter.
Security news, advice, and tips.

But, inevitably, there’s a catch in the small print.

Unsurprisingly, to qualify for the termination fee waiver you have to have lost money from your bank account as a consequence of the hack. And note that the financial loss has to have been since the latest hack, not the previous hacks for which TalkTalk customers continue to await compensation.

However, in addition, you must not have given the scammers *any* additional information.

“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack (rather than as a result of any information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees.”

And this, of course, is what TalkTalk is betting will prevent a flood of defrauded users from leaving their contract without paying a termination fee.

Because typically the way the TalkTalk scams are operating is that you receive a phone call (because the scammers stole your phone number details from TalkTalk), where they convince you that they’re calling from TalkTalk (because they know your name, date of birth and bank account information – all stolen from TalkTalk). Perhaps they even confirm the last four digits of your credit card (amongst the payment information stolen from TalkTalk).

And the scammers use this social engineering to dupe you into installing malware onto your computer (with the pretence of being TalkTalk customer support fixing a security problem), or they ask for further information that will help them commit identity theft by claiming they want to pay you compensation for the recent hack.

TalktalkThat sounds to me like TalkTalk thinks it’s perfectly fine for it to be careless with your personal data, but if you are tricked into sharing anything else *because* the scammers are using the data that they stole from TalkTalk… well, TalkTalk thinks that’s entirely your fault.

In my opinion, that’s no way to treat your customers.

Those TalkTalk customers who have lost money as a result of the series of hacking attacks aren’t going to feel any loyalty to a brand which treats them like that. Instead, they’re going to tell everyone they know for *years* to come not to go near the company with a bargepole.

It’s all rather depressing… in order to cheer myself up, I made an autotune video of Dido Harding describing the conditions under which TalkTalk will consider waiving your termination fee.

Please consider subscribing to my YouTube channel if you’d like me to make more videos. They’re not all as silly as this.

Oh, and if you’re not getting any joy from TalkTalk, some are suggesting that there is a loophole through which TalkTalk customers can ditch their accounts without paying a fee.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Post-hack, TalkTalk treats defrauded customers poorly”

  1. Micky

    I believe that there must be an opportunity for a new type of legal firm to emerge.

    "Were you conned into giving your personal
    and credit card details to a company that
    were actively complicit with providing this
    data to bad people?"

    I thought the PCI DSS was an obligation for card processors. Has TalkTalk illegally thwarted their responsibility with PCI? Hmmm

  2. drsolly

    Harding has an uncanny resemblance to Cluley.

  3. robred

    I am a TalkTalk customer. I consider myself to be pretty good on security issues, but I allowed myself to get scammed earlier today. To cut a long story short:
    – we had an TalkTalk engineer's visit on Saturday because of broadband unreliability
    – the problem was 'escalated' to the network team for further work, so I was expecting contact
    – this evening a "TalkTalk engineer" called to follow up on Saturday's visit. He quoted the problem, the day and time of the visit, the engineer's name and my TalkTalk account number.
    – he then (very slowly and patiently lured me into giving remote access (I know…idiot!!).
    – then the scam started. He asked for some TalkTalk security questions to be answered, which, again (idiot!) I did. They were my PayPal questions!!!!
    – the call ended. I called TalkTalk to discover I had been scammed.
    – TalkTalk had no constructive response to the fact that their data had been used against me.
    – I found I was locked out of my PayPal account by password change.
    – I alerted PayPal. A £499 transfer to another PayPal account was stopped/reversed.
    – I have now changed every bit of password/memorable data (without using my own compromised computer/network!).

    I only fell for this scam because recent privileged personal data was used. The data leak is new. The engineer only visited 2 days ago. Already this data is out of TalkTalk's hands and is being used to gain the trust of the gullible, such as myself. I feel foolish, but also pretty angry.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.