It’s not just TalkTalk: firms ... and sell YOUR Now Vodafone warns its customers after MoS exposes data breach... and triggers major probe by Britain’s ‘FBI’
CRIMINALS are selling the private details of thousands of British consumers online as a result of the TalkTalk hacking scandal – and dozens more major companies are affected, The Mail on Sunday can reveal.
Confidential information including names, addresses, mobile phone numbers and bank details of TalkTalk customers are being bought and sold by fraudsters in illegal trading markets on the internet.
And customer details of 14 other bigname brands, including Vodafone, Visa, Sky TV, Amazon and Ticketmaster, are also being sold for as little as 10p, leaving consumers vulnerable to a huge range of scams. Last night the police and National Crime Agency launched an investigation after this newspaper discovered:
TalkTalk customer details from last month’s hack are being sold on the so-called Dark Web – the unregulated part of the internet – for as little as £1.63;
Visa debit card details of Halifax account holders can be bought for £10 each;
Mobile phone accounts for Vodafone, O2, EE and TV subscriptions for Sky and BT Sport customers are also for sale. When presented with our findings, Vodafone admitted that more than 1,800 customer records had been compromised, and some had been affected by fraudulent activity;
Passwords and user names for major retailers such as Amazon, Uber, Ticketmaster and Ocado have also been stolen and are being sold in bulk. Sandwich chain Subway last night told its online customers to change their passwords as a result of our findings;
Nectar card and Boots Advantage card loyalty points are being sold, as well as Airmiles.
Last month’s hacking of TalkTalk data has exposed how vulnerable Britain’s businesses are to cyberattack – raising serious fears for the security of their customers’ personal and financial details.
On Friday, TalkTalk confirmed that hackers accessed up to 1.2million email addresses, names and phone numbers. Thousands
‘I have no idea how they got my data’
of bank account numbers, sort codes and partially obscured credit and debit card details were also stolen. Last night a 20-yearold man in Staffordshire became the third person to be held in connection with the hack, following the arrests of a 15-year-old boy from Northern Ireland and a 16year-old boy from West London.
And despite assurances from TalkTalk chief executive Dido Harding that no transactions could be easily made with the data, angry customers reported money had been fraudulently taken from their bank accounts, and our investigation has proved how quickly the data has reached the criminal underworld to be used and abused by conmen.
The Dark Web, which can be accessed using a specially-encrypted browser downloaded in seconds, is used by criminals to anonymously sell weapons, drugs, stolen data and child pornography. Sales are made using a currency known as Bitcoins – an electronic payment which cannot be traced back to sellers or buyers.
Our reporters logged on to one the Dark Web’s most popular sites – an eBay-style market – which claims to have more than 200,000 users. By typing ‘TalkTalk’ into the search bar we found a seller called ‘The Martian’ who was advertising customers’ account details.
His ad said: ‘All this information has come from the recent TalkTalk cyber attacks. I’m not saying I did this, but this information is very valuable and I have a lot of it.’
Yesterday the listing had been viewed 466 times and had 18 sales, each of which could contain the details of hundreds of customers.
The MoS bought a small sample to check the details were genuine. We received names, addresses, phone numbers, customer numbers, email addresses, bank account numbers and sort codes.
It quickly became clear that TalkTalk customers were not the only ones affected by recent cyber-attacks. On the same marketplace, scammers are selling thousands of UK credit and debit card details. We bought the pri- vate data of a Halifax debit card from an online trader known as ‘sterlingsilver’, for £10.
We were sent an instant message with the name, address, mobile number, 16-digit card number and three-digit security number of Kieran Smith, 28, a contracts manager from Leeds.
He told us: ‘I have no idea how these people got hold of my data. I am generally security conscious, which makes it so concerning.
‘I have called Halifax and the account is now frozen.’
We then found an ad offering usernames and passwords for Amazon UK, from a user called ‘stackcash’, who said he had made 111 sales since April and had ‘unlimited’ stock. Anyone with the data could access a person’s wish list, order history, addresses and the last four digits of credit and debit cards – which, combined with other details, could provide an easy route to ID fraud. We paid 84p and were sent the log-in details of Joanna Borthwick, 39, a swim-
ming instructor from Wiltshire. She said: ‘This is pretty scary – you don’t think it will ever happen to you.’
Thousands of accounts for EE, Vodafone and O2 are also being sold online. The details contain usernames and passwords for accounts due for a free upgraded phone. One Vodafone customer we spoke to in Stockport said he contacted the firm but they ‘denied all knowledge’ of their details being compromised. But last night a spokesman confirmed 1,827 customers had their accounts accessed on Thursday, potentially giving criminals their names, mobile numbers, bank sort codes and last four digits of their bank accounts. Thousands of customer log-ins for taxi firm Uber were being touted for 65p each last night. These would allow scammers to order taxis with unsuspecting victims footing the bill. Jason Stone, 52, from Windsor, was one of the affected customers.
He said: ‘I’m concerned that even though I’ve only used it once, my details have already been stolen.’
We found Boots Advantage card details being sold for as little as £2 for an account with £15 of credit, or £5.18 for £35 or more. The seller claims the accounts allow people to exchange the points for goods online.
Avios Airmile accounts were also available, with one seller advertising accounts with 20,000 points – enough for a return flight from London to Moscow – for £6.50. Accounts with 1 million points – enough to fly around the world – have a black market value of £200.
Last night a security expert suggested the TalkTalk hack was ‘just the tip of the iceberg’ and called for the Government to bring in American-style laws that would force companies to report any suspicions of hacked or compromised data to a regulator. Andy Norton, from computer security company FireEye, said: ‘Most companies may not even know that they’ve been hacked.
‘We have a joke in the industry that most companies manage cybersecurity using “DLPI” – denial, luck, prayer and ignorance. We need better breach notification laws.’
A Metropolitan Police spokesman said: ‘We are aware data stolen from TalkTalk has surfaced on the internet/ criminal forums and ... have already taken proactive steps to remove any data identified where possible.’
An NCA spokesman said: ‘The crime threats facilitated by the Dark Web are varied and we use a range of approaches against criminals operating there.’
Mike Penning, the Policing Minister, said: ‘Major cyber breaches like this show the importance of cyber security for everyone.’
All 15 companies affected claimed they were doing everything possible to protect their customers’ details.