When pensioner Barry Tucker was called at home by his telecoms provider, TalkTalk, quoting his account number and personal details he dutifully carried out their instructions. He was told there was a problem on his computer and that a staff member would resolve it. He gave remote access to his computer, and after the work was completed was told he was entitled to a £200 “compensation” payment, and was invited to click on his bank logo that appeared on his computer.
But the man Tucker was speaking to was not a TalkTalk employee. He was part of the network of crooks who have accessed the details of many thousands of TalkTalk customers stolen from the company in 2015. Instead of paying him £200 the fraudster stole £6,300 from his Santander account – and the real TalkTalk has refused to pay any compensation to him or the many other victims to come forward over the past year.
Tucker, from Norfolk, says he still doesn’t know quite how the fraudster stole the money. He says he’d never made an online payment from his bank account before. Santander, meanwhile, says he inputted the One Time Passcode sent as a text to his TalkTalk-provided mobile phone. This code authorised the payment, although Tucker says he didn’t see it until an hour later.
Other TalkTalk customers who claim they were conned as a result of the company’s multiple data hacks have called on the Information Commissioner’s Office to “get its act together” and finally rule on how fraudsters were able to gain customers’ account and other personal details, to enable them start legal proceedings against the telecoms giant.
Customers started receiving calls to their landlines from fraudsters posing as the firm’s employees as far back as December 2014, and in February 2015 the company admitted a major data breach. But despite this the ICO is yet to decide whether any rules were broken, or even establish the facts.
At least 20 individuals, some of whom lost £10,000, have registered an interest with lawyers in bringing claims against the firm, but say they are growing frustrated at the ICO’s lack of progress. In each case the fraudsters were able to call the customer and quote account details that only TalkTalk would have known. Victims claim it was this that led them to hand over access to their computers, and ultimately to them losing thousands of pounds. It is thought that customers’ details were stolen from an Indian call centre, and a year ago the company confirmed that three India-based contract workers had been arrested.
The data hacks are not thought to be related to the much more publicised hacking of the company by a UK-based teenager that separately led the firm to be fined £400,000 by the ICO.
The situation has prompted some of the victims to question whether the ICO, responsible for policing the way companies hold their customers’ data, is really interested in getting to the bottom of what happened to them.
Guardian Money was recently contacted by another woman who declines to be named. She lost £10,000 in similar circumstances to Tucker last autumn, with the money stolen from her Santander account. Separately, Graeme Smith from County Durham was one of the first victims to come forward after he was defrauded of £2,800 in January 2015. He says he can’t understand why the ICO is taking so long.
“This happened to me two years ago, and since then we have seen the ICO fine the company but stall on pronouncing on the earlier data breaches. There is a group of victims who have all been very patient, but this is starting to wear a bit thin. The ICO needs to get its act together. We have lost considerable sums and would like some answers. Is this body there to protect consumers’ data or not?” he asks.
Sean Humber, a partner at Leigh Day, the solicitors acting for Smith and around 20 other victims, is also surprised at the delay. “I have repeatedly asked the ICO to clarify the nature, extent and progress of its investigations. So far it has simply confirmed that it is investigating incidents reported by TalkTalk and that its investigations are near completion. However, so far it has been unwilling to either identify the dates of any alleged breaches or confirm that it is also looking at complaints received from scammed customers.
“Furthermore, the ICO has indicated that it will then only publish its findings if it decides to take enforcement action against TalkTalk. It is now vital that the ICO completes its investigations and publishes its findings without further delay. The report needs to set out the details of all data breaches suffered by TalkTalk, the adequacy of the security measures in place at the time, the extent to which customers were notified of any breaches in an effective and timely manner, and the effect of any breaches on those scammed.”
A spokeswoman for the ICO told Money: “This has been a complex and detailed investigation involving outsourced processing with an international dimension, the investigation into which is now coming to an end. The ICO has the power to issue fines up to £500,000 for serious contraventions of the Data Protection Act, but the law doesn’t allow us to issue compensation to affected individuals or to order organisations to pay compensation.” She declined to say when it would publish any findings.
TalkTalk, which has consistently denied any liability for such cases, says: “We are very sorry to hear Mr Tucker and others have been the victims of a scam. We believe we have a responsibility to help protect customers from these crimes, which is why we launched Beat the Scammers, a nationwide awareness and education campaign to help customers protect themselves.”
Bank provides the common link
Why does Santander’s name appear so often in these cases? Each of the victims of this fraud who have contacted Guardian Money have had one thing in common – they banked with Santander. Usually these frauds hit all bank customers equally, but not in this case – at least according to our postbag. It raises questions about whether the scammers have managed to find a way to exploit Santander’s online banking system using stolen TalkTalk details.
Dave Westwood from south Wales, who lost £3,900 in very similar circumstances to those detailed above, says the fraudsters, having taken over his computer and promised him a refund, presented him with a list of bank logos on his computer and invited him to click on his bank. He had an account with First Direct so clicked on its logo, but the fraudster asked if the payment could be made into Westwood’s Santander account instead. Intriguingly, Westwood had opened a Santander account just a week earlier but had not made any withdrawals so was unsure how it worked. He told Money how he was duped into handing over a One Time Passcode which authorised the transaction.
When Westwood later checked his balance on a neighbour’s computer, it emerged that First Direct had blocked an attempted £2,200 payment out of his account on the basis that it was “unusual”, but the Santander payment of £3,900 had been made. Like Graeme Smith in the above story, Westwood says he can’t understand how the fraudsters accessed his online account as he did not input any passwords or disclose them to the criminals. Barry Tucker (see above) makes the same point. When the Financial Ombudsman examined these cases, it sided with the bank.
Santander told Money it is very sympathetic to victims, and welcomes awareness-raising of such scams. But it added that in the featured cases the customers gave the fraudsters access to their computers, before handing over the One Time Passcodes it sends out to customers to verify a money transfer, and that as a result the customers were liable for their losses. “In Mr Tucker’s case, Santander flagged the payment as suspect and the customer was contacted via text message to confirm the transaction on his registered mobile number. During our investigation we confirmed the IP address for the transaction was located back to the customer’s computer and that no sim swap took place,” the bank says. “We strongly advise customers to make sure they are aware of the latest scams as these can often be very sophisticated. We invest significant resource each year to alert customers to scams.”
View all comments >