TalkTalk customers remain at serious risk of cyber-attacks due to gaping security holes in the company’s online services, weeks after the high-profile hack that saw the personal details of 157,000 customers stolen.
Security researchers say they have uncovered a series of vulnerabilities on TalkTalk’s website and email services that could allow hackers to steal email address, password and financial data due to basic oversights.
In the wake of the October attack that saw bank account numbers, credit card details and other details stolen, the broadband operator says it has taken major steps to improve security in an attempt to restore its reputation.
However, several parts of its website remain unencrypted, as do parts of its email services, according to Codified Security, a mobile cybersecurity testing firm.
The vulnerabilities mean that hackers with access to a customer’s internet connection could intercept communications, direct victims to malicious websites or snoop on sensitive data. People are typically vulnerable to these kinds of attacks on public Wi-Fi networks, such as those at coffee shops and airports.
Martin Alderson, Codified’s chief technology officer, said the vulnerabilities the company had discovered were almost unheard of among major technology companies, and could be discovered within seconds of going on the TalkTalk website.
He said Codified had found several instances of industry-standard safety techniques not being implemented on TalkTalk’s website. “I would be surprised if any start-up, let alone a FTSE 250 company, would do this,” Mr Alderson said. “If you were a security professional you’d find [these flaws] in a few seconds.”
Codified contacted TalkTalk two weeks ago about the vulnerabilities but has had no response, Mr Alderson said.
A spokesman for TalkTalk said the company was working to improve security. “We cannot go into detail on specific aspects of our website and email platforms for obvious security reasons, however the security of our systems is a top priority and we constantly run vulnerability checks using tools developed by industry-leading experts,” a spokesman said.