Customers of TalkTalk, the UK's largest broadband and phone provider, are still said to be at risk as loopholes are claimed to exist in the company's online services. According to security experts, the vulnerabilities on the website and email services could allow hackers to gain access to customers' login credentials and financial details.
According to information provided by TalkTalk following the cyberattack on its website on 21 October, a total of 156,959 customers had their personal details accessed. Out of them, 15,656 bank account numbers and sort codes were stolen; 28,000 credit and debit card numbers were obscured and cannot be used for financial transactions.
Although the company claims to have taken steps to strengthen its security standard, Codified Security, a London-based mobile cybersecurity testing firm says various parts of the website and email services are unencrypted. Such vulnerabilities allow hackers, with access to customers' internet connections, to intercept communications.
Speaking to the Telegraph, Martin Alderson, chief technology officer at Codified Security, said the vulnerabilities could be discovered within seconds on the TalkTalk site. Codified found that TalkTalk had not implemented several industry-standard safety techniques yet. Although Codified says it contacted TalkTalk informing them about the vulnerabilities, it did not receive any response.
"I would be surprised if any start-up, let alone a FTSE 250 company, would do this. If you were a security professional you'd find [these flaws] in a few seconds," said Alderson.
A TalkTalk spokesman said the company was working to improve security. "We cannot go into details on specific aspects of our website and email platforms for obvious security reasons; however, the security of our systems is a top priority and we constantly run vulnerability checks using tools developed by industry-leading experts."