TALKTALK has launched an investigation into a third-party data breach, after a hacker allegedly put nearly 19million customers’ details for sale online.
A statement from a hacker known as “b0nd” claimed they were selling data obtained in a breach in January 2025.
1
“As the title says today we will list for sale a large data breach involving TalkTalk,” b0nd’s post on a hacker forum read.
“This breach took place January 2025 and affects 18,839,551 current and previous customers.”
In a statement, TalkTalk said that no billing or financial information was at risk.
“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system,” a TalkTalk spokesperson said.
READ MORE ON CYBERSECURITY
“Our investigations are ongoing, however we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”
Although, the hacker claimed that customers’ names, emails, last-used IP address, business phone number and home phone number had been exposed.
TalkTalk is currently working with the third-party, believed to be subscription management platform CSG Ascendon.
Screenshots shared by the hacker suggest the data was possibly stolen from Ascendon, rather than directly from TalkTalk.
TalkTalk has historically used CSG Ascendon’s services.
In a statement, a CSG spokesperson told BleepingComputer: “On Jan. 21, 2025, CSG learned that an external party gained unauthorised access to a single provider’s data residing on a CSG platform.
“We have no evidence that CSG’s technologies and systems were compromised or that CSG was the cause of the unexpected access to the data.
“CSG provided immediate containment and is actively supporting our customer.”
In 2015, TalkTalk suffered a data breach where a 17-year-old hacker accessed the personal details of 160,000 customers.
The incident led to a £400,000 fine by the UK Information Commissioner’s Office.
How to protect yourself from fraud
USE the following tips to protect yourself from fraudsters.
- Keep your social media accounts private – Think twice before you your share details – in particular your full date of birth, address and contacts details – all of this information can be useful to fraudsters.
- Deactivate and delete old social media profiles – Keep track of your digital footprint. If a profile was created 10 years ago, there may be personal information currently available for a fraudster to use that you’re are not aware of or you have forgotten about.
- Password protect your devices– Keep passwords complex by picking three random words, such as roverducklemon and add or split them with symbols, numbers and capitals.
- Install anti-virus software on your laptop and personal devices and keep it up to date – This will make it harder for fraudsters to access your data in the first place.
- Take care on public Wi-Fi– Fraudsters can hack or mimic them. If you’re using one, avoid accessing sensitive apps, such as mobile banking.
- Think about your offline information too – Always redirect your post when you move home and make sure your letter or mailbox is secure.
Data exposed
A name, email address and phone number is all scammers need to swindle unsuspecting victims.
It’s important to always be wary of emails from unknown senders, as well as texts and calls.
These personal details can be used to entice people into a scam, or used to gain more information about a potential victim.
Delivery scams are rampant – and only require a name, email address or phone number.
“If you get a message that asks you to pay to get the parcel or reschedule the delivery, it’s usually a scam,” warns Citizens Advice.
“Don’t click any links in the text or email. Delivery companies won’t ask you to pay them through a link in an email or text.”
Citizens Advice also cautions the public to avoid giving away personal information to people they don’t know.
“Some scammers try to get your personal information – for example, the name of your primary school or your National Insurance number,” the organisation explains.
“They can use this information to hack your accounts.”
That means also being careful of how much you share on social media.
