The article below about the TalkTalk data loss in the autumn/winter last year is worth highlighting because it shows up the risks of third party suppliers of not having their own protective systems (and contracts) in place. The data loss does not seem to be very widespread or of particularly sensitive data but has opened up customers to scammers posing as TalkTalk on the phone, trying to get the customer to divulge more sensitive information about bank details etc. The really interesting bit to me is that TalkTalk appear to think that the problem arose through a third party contractor with the right to access the TalkTalk systems, so creating the vulnerability that the hackers exploited, and that they are taking legal action. That could be for negligence or something else. It would be interesting to hear the thoughts of that contractor now on what they would have wanted to do with hindsight either to their levels of protection in IT security terms, or to their contract with TalkTalk in terms of the liability issues.
TalkTalk customers are being warned about scammers who managed to steal account numbers and names from the company's computers. TalkTalk said it had sent the email to every customer although only a few thousand account numbers went astray. The theft of data was unearthed when TalkTalk investigated a sudden rise in complaints from customers about scam calls between October and December 2014, said a spokeswoman. Legal action "We have now concluded a thorough investigation working with an external security company, and we have become aware that some limited non-sensitive information may have been illegally accessed in violation of our security procedure," she said. The attackers got at some of TalkTalk's internal systems via a third-party that also had access to its network. Legal action is now being taken against this unnamed third party.