TV Licensing suffers security lapse potentially exposing over 40,000 viewers’ bank details
Over 40,000 television viewers’ banking information could have been exposed due to a security lapse by TV Licensing. Those who entered their details on the TV Licensing website to buy or renew their licence have been urged to check bank statements for suspicious activity.
TV Licensing, the company responsible for doling out TV licences to UK TV owners, warned that from 29 August until around 3.20pm on 5 September 2018, some transactions carried out on the website were “not as secure as they should have been”.
The organisation has now emailed 40,000 people who entered bank account and sort code details telling them to check their accounts for suspicious transactions and to make sure direct debits haven’t been amended. Information including names, addresses, and emails is also at risk because they were not encrypted when they were transmitted from customers’ computers to TV Licensing. Credit and debit card numbers are believed to have remained secure.
It said in a statement that as soon as the issue was discovered “we took the website offline and fixed it. We’re really sorry this happened but want to assure you that the risk to you is low and we’ve taken action to ensure it doesn’t happen again”.
Dan Pitman senior solutions architect at Alert Logic, told Alphr that it would be prudent to cancel any direct debits and call TV Licensing to set up a new one.
“Where financial information combined with emails or other identifying factors are leaked it will enable criminals to put together different sets of data, potentially combining known passwords or personal details with that financial data,” he said.
Ryan Wilk, vice president at NuData Security, told Alphr that data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards.
“Payment card information, combined with other user data from other breaches and social media, builds a complete profile,” he said. “In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world.”