Too much freedom of information?

Telecoms company TalkTalk is the latest to fall victim to a cyber attack, raising concerns over how powerless victims seem to be to prevent such data breaches.

When TalkTalk announced that there had been a cyber attack on its website, it was not clear how many of its customers, of which there are more than four million, had been affected or what information had been accessed.

More than a week after the attack, affected customers began finally receiving letters from the company.

The news was better than expected for TalkTalk: fewer than 21,000 unique bank account numbers and sort codes were accessed; fewer than 1.2 million customer email addresses, names and phone numbers were breached; fewer than 28,000 obscured credit and debit card details were taken and fewer than 15,000 customer dates of birth were hacked.

However, while the figures are far lower than first feared, there is still a major concern for customers. This data may not be enough for criminals to get into your bank account but there is still the concern of identity theft.

Former chief constable of Cumbria and digital crime specialist Stuart Hyde, who now runs his own company Stuart Hyde Associates, explains: “The bigger danger is that somebody gets socially engineered.

Stuart Hyde “So, for example, I’m a criminal and I find out somebody’s email address, their bank account is with such-and-such, I can then spoof them into thinking that I am the bank and get them, if I worry them enough, to do something that I want them to do like put their money from one account to another or make a convincing story to get additional information from them which I can then use to access their money.”

Detective Inspector Craig Smith, of the intelligence bureau at Cumbria Constabulary, said people often call the police with concerns about scams.

He says: “We get a lot of people ringing up concerned about phishing scams and cold calls that they get from third parties that are often based around the world.

“They’ll get their details and just start sending phishing emails.

“I think most people who are regular users on computers will be subject to spam or phishing emails.”

Phishing is a method used by fraudsters to access valuable personal details like usernames and passwords, which can have a monetary value to criminals. Phishing can also involve sending emails or text messages which may appear to be authentic communications from legitimate organisations but which have malicious attachments or website links that carry viruses.

Clicking on such links may direct you to a hoax website where your login or personal details may be requested. Once your personal details have been accessed, criminals can record this information and use it to commit fraud crimes like identity theft and bank fraud.

Investigating online fraud offences is complex.

Cyber attacks are a global issue, as shown by the three arrests made so far in the TalkTalk inquiry: a 15-year-old boy from County Antrim in Northern Ireland was arrested last Monday in connection with the alleged data theft and bailed until a date in November; a 16-year-old boy from Feltham in west London was held on suspicion of computer misuse after a search of his home on Thursday and a 20-year-old man was detained at an address in Staffordshire on Saturday, as police carried out a search of the property as part of their investigations.

DI Smith says: “The difficulty we’ve got is the crime itself – we’ve got to be able to find where the crime is for that organisation or force to deal with it. If it’s someone sat in Paris who decides to send you an email to run a scam, the crime’s been perpetrated in France. So it’s not actually a UK or Cumbrian crime.

“It’s very difficult. Obviously you don’t want multi-million pound frauds sat on your books. We want to be proactive and positive around our investigations and prosecute people for these offences but we need to be able to establish first and foremost where they are actually taking place.”

Online fraud offences are reported to the national fraud and internet crime reporting centre, Action Fraud. Once it has been established where the perpetrators are located, the local force is brought into the investigation.

In the past, when offences were reported to Action Fraud, regional police forces did not have to record the offences as crimes. However, rule changes coming in this month means they will be included.

Mr Hyde says: “I think that’s an excellent idea because those are offences and they are just as important to people as physical crimes. You might get four officers attending where somebody has been assaulted and some money stolen, which might be £10 or £50, and yet somebody’s life savings have disappeared and really there isn’t a lot the police do.

“I think bringing it all in together will give a much better picture of crime but also it’s much more likely that people will be investing in cyber crime, digital fraud, identity theft and those sorts of issues.”

Craig Smith DI Smith continues: “We don’t know how much is going on and how much people don’t report because they’re either embarrassed about it or they’re not interested in reporting it and they’ve got their own reasons for that.

“A lot of people, and I’ve been subject to this as well, are quite blase around their internet security and we need to try and get them more and more security conscious. Issues such as the TalkTalk event clearly heighten it and tend to make people wake up a bit.”

DI Smith encourages people to make sure they have firewalls and antivirus software that are up to date.

He also advises creating strong passwords and not having the same password for everything. If you are in doubt about who is on the end of the phone, do not hand over any details and call your bank.

When asked why cyber attacks are on the increase, Mr Hyde says: “I think because there’s more and more people online, it’s more and more challenging.

“Some people do these attacks for thrills, some people do it for money, some people do it because of a state sponsor or they’ve got some sort of concern. I think it’s easier for people to find out how to do it. Plus there are far more victims out there because more and more people are putting information online.”

For more information on how to stay safe online visit: www.cumbria.police.uk/Advice-Centre/Online-Safety/Online-Safety.aspx or www.getsafeonline.org