TalkTalk knew the risk hackers posed to their systems a year ago but failed to implement sufficient changes, an information security expert has said, as customers reveal they were targeted by fraudsters weeks before the firm announced the security breach on Thursday (22 October).
The company now faces tens of millions in lost revenue following the revelations that suspected Islamist hackers had mounted a huge cyberattack on the broadband and phone provider, managing to access customers' personal data and bank details.
Paul Moore, an information security consultant with Urity group, said TalkTalk changed the way it processed credit and debit card payments after consulting with him last September, but ignored his warnings about its lack of encryption.
Now the company is facing an investigation by the Information Commissioner's Office, who has already said it could have notified them of the breach more quickly. TalkTalk denies reports that it had known about the attack - or any vulnerability - to its systems before Wednesday (21 October).
A spokesperson for the company said on Saturday (24 October) that the data stolen in the attack could not be used by the hackers to steal money from victim's bank accounts. But the same day, several customers reported that their accounts had already been cleared, with some saying they had received phishing calls days before news of the hack broke.
The company's chief executive Dido Harding told the Financial Times that the company had been the victim of a criminal act and was not guilty of negligence, adding that TalkTalk's reputation in future "will be a function of how well we look after our customers now".
That may not be enough to stop customers leaving in droves, nor the mounting compensation claims from those affected by the breach. Security consultant and cyber expert Adrian Culley told the Telegraph the hack was "the Great Train Robbery of the 21st century", adding "there is a potentially huge liability for Talk Talk as a result of this. Future compensation payments could put them out of business."
This is not the first time the company's data has been hacked this year. In August, the company said its mobile sales site had been targeted and personal data breached, In February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names.