Update: Added supplier statement at the end of the article.
UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum.
“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system,” TalkTalk told BleepingComputer.
“Our Security Incident Response team are continuing to work with the supplier regarding this matter and protective containment steps were taken immediately.”
“Our investigations are ongoing, however we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”
This statement comes after someone named “b0nd” began selling what they claim is TalkTalk customer data on a hacking forum that was allegedly stolen in a January 2025 data breach.
“As the title says today we will list for sale a large data breach involving TalkTalk. This breach took place January 2025 and affects 18,839,551 current and previous customers.” reads the post to a hacking forum.
Source: BleepingComputer
The threat actor also shared a sample of the data, which includes the subscriber’s name, email, last-used IP address, business phone number, and home phone number.
While the forum post says the stolen data contains information about almost 18.9 million current and previous TalkTalk customers, the company does not have nearly that number of subscribers, putting the authenticity of the breach in doubt.
Furthermore, the screenshots shared by the threat actor indicate that the data was possibly stolen from the Ascendon SaaS platform rather than directly from TalkTalk.
CSG Ascendon is a subscription management platform that TalkTalk has historically used as part of its operations.
In 2015, TalkTalk suffered a data breach where hackers accessed the personal details of over 150,000 customers. The incident led to a £400,000 fine by the UK Information Commissioner’s Office.
Update 1/26/25: CSG confirmed that the data originated from their platform but said that they did not suffer a breach of their systems and it only impacted one customer.
“On Jan. 21, 2025, CSG learned that an external party gained unauthorized access to a single provider’s data residing on a CSG platform,” CSG told BleepingComputer.
“We have no evidence that CSG’s technologies and systems were compromised or that CSG was the cause of the unexpected access to the data. CSG provided immediate containment and is actively supporting our customer.”
BleepingComputer asked whether the threat actor breached TalkTalk’s account through compromised credentials but has not heard back at this time.
Source: www.bleepingcomputer.com