There’s lots that can be said, and has been said, about the hack of UK telecoms firm TalkTalk:
- That it should never have happened – because any corporate website worth its salt should be hardened against SQL injection attacks.
- That TalkTalk should have taken security more seriously – after the two other security breaches its customers suffered in the last 12 months.
- That TalkTalk CEO Dido Harding was in no position to criticise her competitors’ security, claiming TalkTalk was “head and shoulders” better, while many of her customers were still in the dark as to whether they were at risk.
- That TalkTalk CEO Dido Harding’s debatable claim that the company was under no obligation to encrypt credit card data, ignores the company’s moral obligation to protect customers’ personal information.
- That the company is damn lucky that only a fraction of its four million customers had their details exposed – because it doesn’t appear to be because of any skill on TalkTalk’s side.
Full details on how you can apply for a termination fee waiver from TalkTalk have been published on its website.
But, inevitably, there’s a catch in the small print.
Unsurprisingly, to qualify for the termination fee waiver you have to have lost money from your bank account as a consequence of the hack. And note that the financial loss has to have been since the latest hack, not the previous hacks for which TalkTalk customers continue to await compensation.
However, in addition, you must not have given the scammers *any* additional information.
“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack (rather than as a result of any information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees.”
And this, of course, is what TalkTalk is betting will prevent a flood of defrauded users from leaving their contract without paying a termination fee.
Because typically the way the TalkTalk scams are operating is that you receive a phone call (because the scammers stole your phone number details from TalkTalk), where they convince you that they’re calling from TalkTalk (because they know your name, date of birth and bank account information – all stolen from TalkTalk). Perhaps they even confirm the last four digits of your credit card (amongst the payment information stolen from TalkTalk).
And the scammers use this social engineering to dupe you into installing malware onto your computer (with the pretence of being TalkTalk customer support fixing a security problem), or they ask for further information that will help them commit identity theft by claiming they want to pay you compensation for the recent hack.
That sounds to me like TalkTalk thinks it’s perfectly fine for it to be careless with your personal data, but if you are tricked into sharing anything else *because* the scammers are using the data that they stole from TalkTalk… well, TalkTalk thinks that’s entirely your fault.
In my opinion, that’s no way to treat your customers.
Those TalkTalk customers who have lost money as a result of the series of hacking attacks aren’t going to feel any loyalty to a brand which treats them like that. Instead, they’re going to tell everyone they know for *years* to come not to go near the company with a bargepole.
It’s all rather depressing… in order to cheer myself up, I made an autotune video of Dido Harding describing the conditions under which TalkTalk will consider waiving your termination fee.
Please consider subscribing to my YouTube channel if you’d like me to make more videos. They’re not all as silly as this.
Oh, and if you’re not getting any joy from TalkTalk, some are suggesting that there is a loophole through which TalkTalk customers can ditch their accounts without paying a fee.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.