British telecoms giant TalkTalk has confirmed it is investigating a data breach after hackers claimed to have stolen the personal information of millions of customers.
In a post on a popular cybercrime forum seen by TechCrunch, an individual using the alias “b0nd” claimed to have stolen the personal data of more than 18.8 million current and former TalkTalk subscribers. This data that threat actors are offering for sale likely includes customer names, email addresses, IP addresses, phone numbers, and subscriber PINs.
In a statement to TechCrunch, TalkTalk spokesperson Liz Holloway confirmed that the company is investigating the data breach, but said the 18.8 million figure claimed by the hackers was “completely inaccurate. “It’s very, very exaggerated.”
TechCrunch understands that TalkTalk currently has approximately 2.4 million customers.
“As part of our regular security monitoring and our continued focus on protecting our customers’ personal data, we became aware of unexpected access and misuse of our third-party supplier’s systems,” Holloway said. he told TechCrunch. “Our security incident response team continues to work with the supplier on this matter and protective containment measures were immediately taken.”
Holloway did not name the third-party supplier, but screenshots shared by b0nd suggest the data was stolen from CSG’s Ascendon platform, which TalkTalk uses to manage subscriptions.
CSG did not immediately respond to TechCrunch’s questions.
TechCrunch understands that a small percentage of TalkTalk customers’ personal information is stored on Ascendon. Holloway confirmed to TechCrunch that “the system does not store any billing or financial information.”
TalkTalk was previously fined £400,000 after a data breach in 2015 in which hackers stole the personal data of 157,000 customers, including some financial information. Britain’s Information Commissioner said at the time that TalkTalk had failed to implement “the most basic cybersecurity measures” that would allow hackers to “easily penetrate our systems”.