TalkTalk data breach sees customers targeted after engineering visits

TalkTalk’s reputation for customer security could be damaged even further following claims that criminals have obtained information about engineering visits in an attempt to commit fraud.

Customers told BBC Radio 4’s Moneybox programme they had received calls purporting to be from TalkTalk days after receiving a visit from an engineer, late last year.

In each case, the engineer had said to expect a follow-up call from either TalkTalk or Openreach, but the recipients were still suspicious. However the callers were able to provide the name of engineers, account numbers and even the reference number for the visit, creating the impression that the call was genuine.

The customers, who were told TalkTalk needed to conduct tests or fix a fault remotely, were then requested to download software that would give the criminals remote access to the computers. The attackers then attempted to change passwords or steal money.

In one case, the customer was able to shut down his PC in time, but another had £300 stolen from her PayPal account, although this was refunded by her bank.

One complained to TalkTalk CEO Dido Harding, but her office said they had no record of the call and dismissed a possible explanation of tampered records. However it later acknowledged the issue and reported it to the Information Commissioner’s Office (ICO).

The company is adamant that it has not received any new complaints since the turn of the year, but another person told the BBC they had received a scam call only this week.

TalkTalk is unable to comment on whether the breach is related to the arrest of three people working for Wipro, one of its outsourcing suppliers in India, as this case is ongoing.

However this is the latest in a series of breaches at TalkTalk, the most serious of which occurred in October.

The scale of the assault was less than originally feared, but 1.2 million email addresses, names and phone numbers were stolen, as were 21,000 account numbers and sort codes and 28,000 partial card details. However, TalkTalk maintains that the data stolen is not sufficient for the attackers to steal money.

In its most recent set of results, TalkTalk said the cyberattack had cost it £60 million in lost revenue and confirmed 101,000 customers had left.