TalkTalk confirms data breach after customers are fleeced by Indian scammers

Third-party hack causes customer data to fall into hands of criminals

TalkTalk has admitted to a data breach that led to customers being scammed for thousands of pounds.

A post on a TalkTalk forum explained that a third party with "legitimate access to customer accounts" was hit by a data breach last year, causing information to go missing. The party has begun legal action against the supplier.

The scammers, based in India, have been using the stolen data, which includes account numbers, addresses and account holders' names, to trick customers into thinking they are calling from TalkTalk.

They then claim to have identified problems with the TalkTalk router and prompt the customer to download software to let them access the computer and fix the 'problem'. They also promise a compensation payment of £250.

However, the scammers actually use the information and access to wire money from the customer's account. The Guardian reported that one man was stung for £2,800 after trusting the scammer because they knew his account information.

Another customer confirmed on a forum that they had received a call from a scammer on 27 February using the information to try to trick them into allowing laptop access.

"I have just had 'THE' call from 'TalkTalk' and like everyone else was surprised he had my address and account number. I deliberately wasted his time for 15 minutes and then hung up," they wrote.

TalkTalk has warned customers to be vigilant about such calls on its forums, noting that it would never ask to download software to a customer's machine or call customers and identify them using account details.

A TalkTalk spokesperson confirmed to V3 that it began investigating whether a hack had taken place after reports of customers being scammed emerged last year. It discovered that this was indeed the case.

"We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," the spokesperson said.

The company claimed that no financial data such as bank or credit card details or dates of birth were taken, and that no TalkTalk Business customers were affected.

TalkTalk also said that it has informed the Information Commissioner's Office (ICO) of the incident.

The ICO could fine TalkTalk up to £500,000 because of the breach, although investigations into the cause are likely to take some time.