2015 TalkTalk data breach

In October 2015, British telecommunications provider TalkTalk experienced a cyber attack that resulted in a data breach. As a consequence, personal and banking details of around 160,000 customers were illegally accessed.

In the course of the attack, TalkTalk received a ransom demand from a group claiming to be responsible. Some customers complained that they were targeted by criminals before TalkTalk disclosed the cyber-attack, and the Chair of the Home Affairs Select Committee said "Suggestions that TalkTalk has covered up both the scale and duration of this attack ... must be thoroughly investigated."

Attack and perpetrators
The attack was carried out using SQL injection.

In September 2016, hacker Daniel Kelley was charged with blackmail, computer hacking, and fraud in connection with the TalkTalk data breach and various other attacks. He pleaded guilty to 11 of the offences later that year. He was sentenced to 4 years jail time in 2019.

In November 2018, two further suspects were found guilty of cybercrime charges in connection with the data breach.

Scope
It was initially thought that up to 4 million customers could be affected by the breach. On 24 October, TalkTalk issued a statement saying that a "materially lower" amount of customers’ financial information was stolen, and that the stolen data was not sufficient for money to be taken from bank accounts. On 6 November, TalkTalk stated that the impact of the breach was "much more limited than initially suspected", adding that 156,959 customer accounts were involved, from which 15,656 sort codes and bank account numbers had been taken. Partial data on 28,000 credit and debit cards was also stolen, but that data was insufficient for carrying out transactions on those cards. TalkTalk stated that the lost data had not been encrypted, and that they had not been legally required to encrypt it.

Aftermath
The direct and indirect costs of the attack for TalkTalk have been estimated at GB£77 million. On 5 October 2016, TalkTalk was fined £400,000 by the Information Commissioner's Office for its negligence on securing client data.