The cyber fraud woes of British telecom giant Talk Talk are not over, if detailed reports of a call centre scam in India are to be believed.
The BBC and other media reported this week that Talk Talk customers are being targeted by an industrial scale fraud network in India, according to sources close to the alleged scam.
Talk Talk was fined a record £400,000 fine for security failings after a cyber attack in 2015 which led to the theft of personal data of almost 157,000 customers.
Currently it is facing compensation claims from dozens of people who are said to have been affected by a call centres ‘scam’ operated from Calcutta. Leigh Day solicitors is representing about 20 of these people who between them are believed to have lost almost £100,000. Questions are being asked about the company’s allegedly slow and inadequate response to the scam.
The testimony of three sources who claim to have been among hundreds hired by the call centres in India makes grim reading for Talk Talk, particularly after its 2015 debacle. Following that data breach (apparently unconnected to the call centre ‘scam’) the firm was slated by the UK Information Commissioner’s Office for “failure to implement the most basic cyber security measures”.
The three sources told media they were employed by two front-companies set up by a gang of professional fraudsters.
They described working in “call centres” in two Indian cities, where as many as 60 “employees” work in shifts in each office, phoning TalkTalk customers and duping them into giving access to their bank accounts.
The whistleblowers say they would claim they were calling from TalkTalk, and convince victims to install a computer virus, which a separate team would then use to gain access to victims’ online banking.
The scam is alleged to be linked to problems in a company hired by Talk Talk in 2011, when it outsourced some of its call-centre work to the Calcutta office of Wipro, one of India’s largest IT service companies.
Last year, three Wipro employees were arrested on suspicion of selling TalkTalk customer data. The same data was allegedly obtained by a criminal gang, and used at the three call centres.
Media reports suggests that although the data breach at Wipro is believed to have occurred in late 2014, Talk Talk only began a “forensic review” leading to the arrests at Wipro after the apparently unrelated cyberattack in October 2015.
“We are aware that there are criminals targeting a number of UK and international companies, and we take our responsibility to protect our customers very seriously,” a spokeswoman for TalkTalk told media.
“This is why we launched our Beat The Scammers campaign, helping all our customers to keep themselves safe from scammers no matter who they claim to be, while our network also proactively blocks over 90 million scam and nuisance calls a month.”
Wipro has not commented on the claims.
Talk Talk’s profits more than halved following the 2015 cyber attack. Mark Emmott, a lawyer and director of the global risk management conference organisers Retail Knowledge commented that Talk Talk may have compounded its reputational damage by not informing customers of the data theft by Wipro employees.
“In the current state of the law it is unlikely anyone will force Talk Talk to reveal the full nature of the breach through the courts. However it is likely that within a few years UK customers’ digital details will be protected by intellectual property laws,
“Then a firm finding itself in Talk Talk’s position will be required by individuals and even a court order to reveal specifically what happened and why. And claims for damages could be very high if high net worth individuals are affected.
“Of course a company may escape paying damages if it can show that it acted reasonably. However, the threshold applied by a court is likely to be significantly lower than that applied by consumers; both existing and potential customers.
“Companies can be sure that competitors will not allow the market to forget quickly critical failures to protect personal data that can be used to further criminal ends.”