The U.K. telecom provider TalkTalk recently announced that the Metropolitan Police Cyber Crime Unit is investigating "a significant and sustained cyber attack" on the company's website on October 22, 2015.
"That investigation is ongoing, but unfortunately there is a chance some customer data may have been compromised," TalkTalk said in a statement. "We're continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed."
All those affected are being offered one year of free access to a credit monitoring service.
The customer data potentially compromised includes names, addresses, birthdates, email addresses, phone numbers, TalkTalk account information, credit card details and bank account details. It's possible that ex-customers' data may have been compromised along with that of current Talk Talk customers.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Not all of the data was encrypted," TalkTalk admitted. "We constantly review and update our systems to make sure they are as secure as possible. We're working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future."
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that any company that collects, stores or transmits personal information needs to encrypt that data at rest and in transit. "It's not a change that occurs overnight, but it should be a clear requirement," he said.
"Even encryption isn’t a perfect solution to data theft," Erlin added. "The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use."
Earlier this year, TalkTalk acknowledged that a separate data breach in late 2014 had exposed customer account numbers, addresses and phone numbers, which were then used in targeted phishing attacks.
Amichai Shulman, co-founder and CTO of Imperva, said TalkTalk customers should check their bank accounts for fraudulent activity and be particularly vigilant for phishing attacks. "The theme that keeps repeating itself is that every time such a breach occurs, media outlets focus heavily on the stolen credit card numbers, however, in practice, for the average person the theft of personal data is much more critical," he said.
Check out our top 10 list of encryption products.