TalkTalk information likely to be discoverable on the dark web

Michael Marriott | 4 December 2015

Last month, TalkTalk disclosed that they been the victim of a cyber attack on its website. Initial disclosures indicated that up to 4 million customer records could have been affected, but this was later revised to just short of 157,000. Shortly after the public notification of the attack, data appeared on sharing sites and advertisements for the data on dark web marketplaces. Several arrests have since been made in the UK and Northern Ireland in relation to the investigation.

 

On 20 November, a dark web user published a file that claimed to contain data pertaining to the TalkTalk breach. The file contained 249 records, including names and associated dates of birth, addresses, email addresses, telephone numbers, bank account details and what appear to be details of TalkTalk customers and transactions. The user provides contact details, including instant messaging details, a Tor email, Internet Relay Chat (IRC) details and links to a marketplace profile on "Python Market" -- a criminal marketplace.

 

Review of the user profile on Python Market shows the user had registered on 05 November 2015 and was last active on 26 November with two sales. The user also claims to hold data from several other previous breaches, including high-profile public breaches, such as the Adult Friend Finder and data from a large cable provider, so there is a realistic possibility that the data has not been initially acquired by the user, but was aggregated for sale.

 

Initial review of the alleged TalkTalk data leads us to assess a realistic possibility that the data is authentic. The data fields provided match what TalkTalk have stated were compromised and open source research against a sample of the data suggests that the emails relate to real world entities, and that they have not been re-purposed from previous breaches. The data also included references to legitimate TalkTalk plans and voucher codes. Judging by the level of detail in the records, we assess that this information would be complex to fabricate.

 

If the data is indeed authentic, then it is indicative that at least some of the data compromised as part of the TalkTalk attacks in late October 2015 has been distributed and is being used and likely sold to others in the criminal marketplace. This data contains enough information for attackers to gather further information about victims, make approaches through telephone calls and emails, attempt social engineering attacks to obtain further PII or send unsolicited email for the purposes of spam or malware infection.