British telecoms giant TalkTalk has confirmed it is investigating a data breach after a hacker claimed to have stolen the personal information of millions of customers.
In a post on a popular cybercrime forum seen by TechCrunch, an individual using the alias “b0nd” claimed to have stolen the personal data of more than 18.8 million current and former TalkTalk subscribers. This data, which the threat actor offers for sale, supposedly includes customer names, email addresses, IP addresses, phone numbers, and subscriber PINs.
In a statement to TechCrunch, TalkTalk spokesperson Liz Holloway confirmed that the company is investigating the data breach, but said the hacker’s reported $18.8 million figure is “completely inaccurate and significantly overstated.”
TechCrunch believes TalkTalk currently has about 2.4 million customers.
“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access and misuse of the systems of one of our third-party vendors,” Holloway said at TechCrunch. “Our security incident response team continues to work with the vendor regarding this matter and protective containment measures were taken immediately.”
Holloway declined to name the third-party vendor, but screenshots shared by b0nd suggest the data was stolen from CSG’s Ascendon platform, which TalkTalk uses for subscription management.
In a statement sent to TechCrunch, CSG spokeswoman Kristine Østergaard said the company became aware that “an external party gained unauthorized access to an individual vendor’s data residing on a CSG platform” on January 21. However, he added that CSG has “no evidence” that its systems were compromised or that CSG was the cause of the TalkTalk breach.
TechCrunch understands that the personal data of a small subset of TalkTalk customers is stored in Ascendon. Holloway confirmed to TechCrunch that “no financial or billing information was stored on this system.”
TalkTalk was previously fined £400,000 after a 2015 data breach in which hackers stole the personal data of 157,000 customers, including some financial information. Britain’s Information Commissioner said at the time that TalkTalk had failed to implement “the most basic cyber security measures”, allowing hackers to “easily penetrate its systems”.
Updated with CSG comment.
