Security Expert Comments: TV Licensing Breach

It has been reported that tens of thousands of consumers who have entered their details on the TV Licencing website are being urged to check their bank statements for suspicious transactions following a data alert. TV Licencing has stated that from 29 August until the afternoon of 5 September 2018, some transactions carried out on the website were “not as secure as they should have been”. It is emailing 40,000 people who entered bank account and sort code details telling them to check their bank accounts for suspicious transactions and to make sure direct debits haven’t been amended.

Information including names, addresses, and emails is also at risk because they were not encrypted when they were transmitted from customers’ computers to TV Licencing. IT security experts commented below.

Dan Pitman, Senior Solutions Architect at Alert Logic:

“From TV Licencing’s statements if you payed immediately via card or other online payment you were safe, bank details would have been entered onto the site by people setting up direct debits at which point the setup information to be processed by the bank may have been changed. It would be prudent to cancel any direct debits and call TV Licensing to setup a new one.

Where financial information combined with emails or other identifying factors are leaked it will enable criminals to put together different sets of data, potentially combining known passwords or personal details with that financial data.

This attack seems similar to the British Airways one, most likely a system or systems were compromised and a command and control application was deployed that allowed the attacker to scrape memory or the site itself was compromised in same way. In this case visitors who want to make on-line payments are immediately moved to completely different website before any details are taken so card details would not have been in memory on TVLicensing’s servers.”

Ryan Wilk, VP of Customer Success at NuData Security:

“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards. Credit card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans, and much more. Every hack has a snowball effect that far outlasts the initial breach. All customer information is valuable to fraudsters. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all customer data, but more importantly, we need to make it valueless.Multi-layered technology that thwarts fraud exists right now. Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour.Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless.The balance of power will return to customer protection when more companies implement such techniques and technology.”