UK telecoms firm TalkTalk has confirmed that it's suffered a data breach, with a hacker known as b0nd claiming responsibility.
According to reports from TechCrunch, b0nd is offering the personal data of more than 18.8 million current and former TalkTalk subscribers for sale on a popular cyber crime forum.
The data is claimed to include customer names, email addresses, IP addresses, phone numbers and subscriber PINs.
The threat actor is believed to have accessed the data via the systems of a third party supplier. While the supplier remains unnamed, it appears from screenshots shared by b0nd to be CSG’s Ascendon platform, which TalkTalk uses for subscription management.
TalkTalk confirmed the probe in a statement given to ITPro.
"As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier's systems, however, no billing or financial information was stored on this system," a spokesperson told ITPro.
"Our Security Incident Response team is continuing to work with the supplier regarding this matter, and protective containment steps were taken immediately."
The spokesperson added that the claims about the number of people affected were "wholly inaccurate and very significantly overstated".
TalkTalk currently boasts around 2.4 million customers, vastly fewer than the number claimed by b0nd. The third party supplier also manages a smaller number than that.
Meanwhile, many records are duplicated.
"Based on various dark web forum postings, it appears the threat actor has gained access to one or multiple CSG Ascendon subscription management platform tenants, some of which provide reports showing stored PINs in plain text - best practice dictates these be encrypted," said Cory Michal, chief security officer at SaaS security company, AppOmni.
Michal added that b0nd appears to have only around four million data records, including PIN, name, email, IP address, and subscriber phone, in various combinations.
"b0nd is a relatively new account on the forum where the sale was posted, with the first post being on January 19 offering a Rust-based RAT for $30,000. The actor is now reposting full breach dumps from previous attacks to try and gain credibility on the account," he said.
"Additionally, one of the screenshots b0nd posted also claims to have data from 'Netflix Bundle Activations', which is something else to watch for."
It's not the first time that TalkTalk has suffered a data breach. In 2015, it revealed that personal data belonging to around four million people had been accessed in a cyber attack.
The telecoms firm was hit with a £400,000 fine from the Information Commissioner's Office (ICO) as a result.
