Millions of TalkTalk customers have been told to be vigilant and keep monitoring credit reports following a "significant and sustained cyberattack" on the company's website. Police are investigating an allegation of data theft that means customers are now at risk of having their personal data, such as credit card and bank details, being leaked to criminals.
TalkTalk has apologised after admitting personal data including names, addresses and telephone numbers may have been breached in the attack. A spokesperson said: "We would like to reassure you that we take any threat to the security of our customers' data very seriously.
"We constantly review and update our systems to make sure they are as secure as possible and we're taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming more frequent."
The website has already advised customers keep an eye on their accounts over the next few months for unusual activity and to contact their bank and Action Fraud as soon as possible if they spot anything.
TalkTalk also said if customers are contacted by anyone asking for their personal data or passwords, such as for your bank account, to "please take all steps to check the true identity of the organisation" and to check your credit report with the main credit agencies including Call Credit, Experian, Equifax and Clear Score. Noddle also allows free access to your credit report for life.
Security experts have given advice to customers who fear their details may have been targeted as part of the cyberattack.
Justin Basini, co-founder and CEO of ClearScore, said: "TalkTalk customers face a very real threat of fraud – people will be worried that their personal details may already have been sold on to criminals looking to instigate phishing attacks. Customers need to be proactive in looking out for suspicious or unexpected activity, such as someone taking out a credit card or loan in their name. TalkTalk customers should check their credit reports to monitor for any unusual activity. Any unusual behaviour should be reported to Action Fraud."
ClearScore also has advice more advice for customers on what to do if they think their data may have been breached:
Look for evidence of fraud
• If you are a victim of identity theft, you will see evidence of it on your credit report.
• Look for tell-tale signs of fraud such as new credit accounts that you did not set up. Check if there has been an increase in enquiries on your credit report. If a fraudster is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts.
• Also, check that your address(es), phone number(s), and other information is correct.
Report any fraud
• If your credit report indicates you are a victim of identity theft, you will want to immediately take steps to remove the fraudulent accounts.
• You should report any fraudulent activity to Action Fraud on 0300 123 2040 or www.actionfraud.police.uk.
• Make sure you have any relevant information to hand (for example names, dates, information about the suspect, and details of how any money was lost).
• Tell your bank or financial services provider about any suspicious activity so they can put a freeze on fraudulent lines of credit.
• Continue to monitor your credit reports – we suggest you do this at least once a month so you can spot any fraudulent activity.
Jon French, security analyst for AppRiver, added: "The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information.
"If someone calling or emailing you already has information like name, address, email address or other account information, that doesn't mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information, like a credit card or password."
Benjamin Harris, managing security consultant of MWR InfoSecurity, who offer advice to customers and organisations that may be targets to this type of cyberattack, added: "As always when there is a concern that payment data may have been breached, consumers should pay attention to transactions made on their debit and credit cards and report any suspected fraudulent transactions to their card issuer.
"Being proactive will help to limit any damage caused by exposure of credit card information, however if consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used."
Mike Smart, digital strategist at Proofpoint, added: "Anyone impacted by the TalkTalk incident should assume that their confidential data is now freely available on the dark web and cybercriminals will be looking to utilise it for financial gain. Individuals should make sure they change passwords to websites that share the same password as they used to access their TalkTalk website. They should also realise that they will be at an increased risk of email 'phishing' and therefore must be on the look-out for suspicious emails.
"Individuals should refrain from clicking on URL links or attachments in emails they are not expecting. If they get an email from a bank or other websites with log-in links, instead of clicking on the link in the email, they should open up a new browser session and visit the website directly."
Action Fraud is the UK's national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via www.actionfraud.police.uk