In the wake of the TalkTalk hacking scandal, cyber security experts have warned consumers are being "held over a barrel" by internet providers asking customers to hand over sensitive banking information for direct debit payments, which is then stored online.
The details of four million consumers could have been exposed by the TalkTalk data breach, which the company and its CEO Dido Harding are still trying to get a handle on. However, the failure of TalkTalk to protect its customers' details including the leak of partial credit and debit card numbers has provoked security concerns for all companies storing banking information online.
Information security consultant Paul Moore, who exposed the vulnerability of TalkTalk's security provision a year ago, told IBTimes UK he believed customers were being exposed needlessly by companies and internet providers asking for direct debit payments. He said the problem was worsened when companies like Virgin Media and BT levied extra charges on customers opting not to pay by direct debit.
"I don't think the customer should be held over a barrel," he said, adding that direct debit payments were "inherently more risky because you are handing over yet more of your personal information and you are having to trust it is being secured securely."
"Organisations need to make sure they have the appropriate level of security in place to protect the customer information they hold. If they don't, we will act."
- Information Commissioner's Office
Moore added: "Typically I don't use direct debit or continuous payment on to a debit card - for precisely this reason. You can never quite know how it is kept."
Joe Sturonas, chief technology officer of PKWARE echoed similar sentiments. "I am very conservative in the amount of information I provide and I only try to focus on types of payments that would reduce my risk in terms of exposure," he said and added if the general public knew more about data protection practices they would also doubtlessly be more conservative.
Internet providers, telecoms companies and other businesses storing banking details in remotely accessible networks are reluctant to talk about how they secure their information. When contacted by this publication, a spokeswoman from BT said: "BT takes great pains to ensure we protect and secure our customer data, but will not reveal our security defences publicly." The company declined to comment on its use of direct debit payments.
Virgin Media said some of its payment options did incur a fee and that "Ensuring customer data is secure is of utmost importance to Virgin Media. Virgin Media has a wide range of security measures in place including encryption."
The Financial Conduct Authority explained to IBTimes UK: "Our rules state that fees should be presented in a way that is clear and not misleading so that consumers can know exactly what they will be charged before they sign up to a product or service."
An Information Commissioner's Office spokesperson said: "Organisations need to make sure they have the appropriate level of security in place to protect the customer information they hold. If they don't, we will act."