Dodgy TalkTalk Staff and a 4-Year-Old Password Allegedly Aided Fraudsters

By Aatif Sulleyman on at

It's out of the fire and into an even bigger one for TalkTalk. A new report from The Register suggests that staff may have sold critical information to fraudsters, comprising customers' names, addresses, dates of birth, account numbers, landlines and mobile numbers.

A former TalkTalk employee told the publication that the telecommunications company uses a third-party system to book maintenance engineer visits and record information. Worryingly, the unnamed source claims that the database is accessible through shared login credentials, which hadn't been changed for four years.

Around 1,000 India-based employees and 100 UK-based members of staff are said to have access to the system, though Mr Whistleblower believes the crime was committed abroad. "My educated guess is that the details were leaked by offshore Indian agents," he said.

This comes after numerous TalkTalk customers complained that they were being targeted by fraudsters claiming to work for the company. They apparently knew all the details of the engineer visits and advised the customers to download TeamViewer software, which was subsequently used to try to seize money.

TeamViewer's been in touch with Giz UK, and says, "TeamViewer takes the security and privacy of our users extremely seriously and condemn the use of TeamViewer to subvert systems and gain unauthorized access to private data. It is important to emphasise that those using TeamViewer to facilitate this illegal activity are not using an exploit within TeamViewer. TeamViewer is not a malicious piece of software, however in this situation TeamViewer has been used for nefarious means." [Register]