TalkTalk Investigates Breach After Data for Sale on Hacking Forum

UK telecommunications company TalkTalk is investigating a potential data breach involving one of its third-party suppliers, after a threat actor began selling what they claim is TalkTalk customer data on a hacking forum.

“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems. However, no billing or financial information was stored on this system,” TalkTalk said in a statement.

“Our Security Incident Response team is continuing to work with the supplier regarding this matter, and protective containment steps were taken immediately.”

TalkTalk emphasized that while their investigation is ongoing, the number of customers claimed to be affected by the breach is “wholly inaccurate and very significantly overstated.”

This breach marks another high-profile incident involving third-party suppliers, which have increasingly become targets for cybercriminals. The breach was brought to public attention when a hacker using the alias "b0nd" began selling what they claimed to be TalkTalk customer data on a dark web hacking forum.

Data Breach Claims

The situation began to unfold when the hacker posted a forum message offering what they described as a large data breach involving TalkTalk. The threat actor claimed that the breach occurred in January 2025 and had affected 18,839,551 current and previous customers of TalkTalk.

“As the title says, today we will list for sale a large data breach involving TalkTalk. This breach took place January 2025 and affects 18,839,551 current and previous customers,” the forum post read.

The hacker, using the alias "b0nd," shared a sample of the alleged stolen data, which included details such as the subscriber’s name, email address, business and home phone numbers, as well as the subscriber’s last-used IP address. These are highly sensitive pieces of information that could be exploited for identity theft, social engineering attacks, or further intrusion into personal accounts.

While the forum post raised alarm, TalkTalk quickly cast doubt on the scale of the breach. The company stated that it does not have anywhere near 18.9 million subscribers, which raises concerns over the authenticity of the hacker’s claims.

TalkTalk, in a public statement, made it clear that the number of affected customers reported by the hacker is far overstated and not representative of the actual situation. However, the incident still raises questions about the security of third-party platforms that organizations, including TalkTalk, rely on to handle customer data.

Third-Party Platform Involvement

Further investigation suggests that the data may have been stolen from a third-party service provider, specifically the Ascendon SaaS platform, rather than directly from TalkTalk. Ascendon is a subscription management platform that TalkTalk has historically used in its operations for handling customer accounts and other subscription-related data.

Screenshots shared by the hacker indicated that the data likely originated from the Ascendon platform. This has raised concerns about the potential vulnerabilities in third-party platforms that store sensitive data for large organizations. The fact that the breach appears to involve a third-party supplier rather than the company itself highlights the growing risk posed by supply chain vulnerabilities in the cybersecurity landscape.

The Ascendon platform is widely used by various companies across different sectors, particularly those handling large volumes of customer data. As such, this breach could have broader implications beyond just TalkTalk, raising awareness about the security practices of third-party vendors and the need for stronger safeguards to protect sensitive customer information.

In fact, this incident is reminiscent of previous high-profile breaches that were traced back to third-party suppliers. These breaches underscore the reality that cybercriminals often target vendors with weak security protocols as a backdoor entry point to larger organizations.

A History of Breaches

This is not the first time that TalkTalk has been involved in a data breach. In 2015, the company suffered a significant breach where hackers gained access to the personal details of over 150,000 customers. The 2015 incident, which was one of the most talked-about data breaches in the UK, led to an investigation by the UK Information Commissioner’s Office, which ultimately fined TalkTalk £400,000 for failing to secure customer data adequately.

The latest incident serves as a reminder that the company’s security posture must be continuously reviewed and updated to mitigate new and emerging threats. While TalkTalk has assured its customers that no financial or billing information was compromised in this breach, the company’s track record with cybersecurity has already placed it under scrutiny from both regulators and customers alike.

This breach also highlights the growing importance of cybersecurity protocols and data protection policies when working with third-party vendors. As organizations increasingly rely on external suppliers for various aspects of their business operations, ensuring that these suppliers adhere to robust security standards has never been more crucial.

Supplier Statement

The supplier, CSG, which manages the Ascendon platform, has confirmed that the data did indeed originate from their platform but denied any breach of their own systems. The supplier issued a statement clarifying that the unauthorized access was limited to a single provider’s data residing on their platform.

"On Jan. 21, 2025, we learned that an external party gained unauthorized access to a single provider’s data residing on our platform," CSG stated. "We have no evidence that our technologies and systems were compromised or that we were the cause of the unexpected access to the data. We provided immediate containment and are actively supporting our customer."

CSG’s statement raises some important questions about the security measures implemented by the platform and the protocols in place to detect unauthorized access. As part of their ongoing investigation, TalkTalk has yet to confirm whether the breach was the result of compromised credentials or another vulnerability.

Investigation Ongoing

The investigation into this breach is still ongoing, with TalkTalk and CSG working together to determine the full scope of the incident. While TalkTalk has assured the public that no billing or financial data was compromised, it remains to be seen whether any other sensitive customer information was exposed.

As of now, organizations are urged to remain vigilant when it comes to third-party security risks. This incident serves as a stark reminder that companies must continue to evolve their cybersecurity strategies to account for the risks posed by vendors and supply chain partners. Robust security protocols, continuous monitoring, and the adoption of strong encryption practices are essential in protecting customer data in today’s interconnected digital landscape.

As investigations continue, TalkTalk will likely update the public on their findings, including whether the breach has led to any significant repercussions for their customers. The company is also expected to take further steps to strengthen its security posture and ensure that such an incident does not occur in the future.