It hasn’t been a fantastic week for the Great British public: late last week potentially 4 million TalkTalk customers had their personal information stolen and M&S’ website accidently revealed their users data to other users and now British Gas.
British Gas
On Thursday (28/10/2015) of this week British Gas contacted 2200 of its customers to inform them that their email addresses and passwords have been published online. The associated accounts have since been locked for the time being.
They were quick to point out that “there has been no breach of [their] secure data storage systems”. It is therefore thought that that the data either came from other breaches online or via phishing attacks.
This problem can occur when folks use the same email addresses, but more specifically, the same password on multiple accounts online.
Therefore when another large breach occurs cyber criminals can attempt to use the credentials they’ve stolen or bought on other websites, hoping that a few users will have the used the same credentials.
If you have trouble remembering long complex passwords for multiple accounts online then you might want to think about using a password manager.
Password managers store your credentials in secure online “vaults” therefore you only have to remember one super secure password to gain access to your vault.
TalkTalk
TalkTalk’s third breach this year has been a developing story over the past week. First Russian Islamic jihadist hackers were blamed, then a 15 year old boy from Ireland was arrested and now a 16-year-old has been arrested as well.
Both the reporting and the response from TalkTalk has been a bit of a mess but luckily it doesn’t seem as bad as first thought, although TalkTalk’s website is still down for customers (30/10/2015).
“It would appear that during a DDOS attack to hide their true intent data was compromised and stolen from TalkTalks servers,” explains Mark James, ESET security specialist.
“The data of all their customers will almost certainly be used for potential identity theft along with the obligatory attempts at financial access with any current information they may have attained.
“The majority of this haul will be used for targeted phishing attacks to gain more useable data by trying to establish a trust relationship with you by using partial true info in their attack.”
TalkTalk have offered affected users free credit monitoring alerts, which has become a welcome standard from companies that suffer breaches.
Some users are already reporting have funds stolen from their accounts, so if you’re a TalkTalk customer and you notice something suspicious call your bank directly ASAP. Once TalkTalk’s website is back up change your password and remember to make it complex and unique.
***UPDATE*** TalkTalk have confirmed that 21,000 unique bank account numbers and sort codes were stolen. Also 28,000 obscured credit and debit card details; 1.2 million addresses, names and phone numbers; 15,000 DoB. Much smaller than expected but still pretty abysmal.
M&S
Last but certainly not least M&S, via a fault in their website, revealed their users personal data to other users trying to log in to their accounts.
On Tuesday (27/10/2015) users attempting to log into M&S’ website would be greeted by a typical account page filled with a different users details.
Affected users quickly reported this fault to M&S who shut the website down for maintenance. The fault now appears to be fixed but surely trust in M&S has taken a knock?
“Whilst this particular event was not “hacking” related an awful lot of users first thoughts would have been that their accounts were hacked, it’s much harder for a company to regain that trust even if no hacking had actually taken place.
“Planning and testing is the only way to ensure that inevitable glitches do not cause serious problems but even this won’t stop any issues 100% so having a clear back up plan ready for when things go wrong should always be considered.”
Were you affected by any of the above breaches? Has your trust in the company taken a blow?
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.
Are you Serious about Security? If you are then check out everything that’s going on during Security Serious week.