TV Licensing website security incident

Anyone else got an email from TV Licensing today, about a security incident with their website?

Looks like some data input into their website between 29th August and 5th September, including some bank details, may have been unencrypted, and so susceptible to intercept. See below:

We take the security of your data very seriously. That’s why it’s our normal practice that when you make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.

While there is no evidence that our website has been subject to any sort of attack or that the security of your data has been compromised, we recently discovered that for a limited period – from 29th August until 5th September 2018 – some transactions carried out on the website were not as secure as they should have been.

As soon as we discovered this issue – which was introduced inadvertently during a routine upgrade of the site – we took the website offline and fixed it.

We believe the risk of anyone else having seen information sent through to our website during that period is low, but because we take a very cautious approach and believe you may have used the website during this period, we want to tell you what happened and what we recommend you do as a precaution.

We know that during this short period, transactions using credit or debit cards were still encrypted. However, where people have submitted personal data such as their name and address, or where they gave us bank details (a sort code and account number) – for example while setting up or amending a direct debit – in some cases this information was not encrypted when it was transmitted between your computer and us.

The chances of anyone having accessed information, even if it was not encrypted, are very small because it would involve them intercepting your communications with the website – similar to tapping a phone call. This is very unlikely to have happened and we have found no evidence of data being accessed like this.

Nevertheless, if you sent us bank details during this period, particularly if you used an internet connection you don’t trust, as a precaution we’d suggest that you check your bank account to ensure there are no transactions you haven’t authorised, and check that your direct debits haven’t been amended in any way. If you detect any suspicious activity on your account, please contact your bank or building society urgently.

We’re really sorry this happened, but want to assure you that the risk to you is low and we’ve taken action to ensure it doesn’t happen again.

If you have any further questions, then please call us on: 0300 790 6035.

Well, that explains why their website was down.

I think it shows that we need a much better system than having a single card number that needs protecting. Hackers are just so much cleverer than most sysadmins.

I’ve started to use apple pay where I can but we need a more generic solution like unique card numbers per transaction.

I’m not sure this example can be used to support that. My reading is that the website fell back to unencrypted http for everything except card details. This means that some personally identifiable information - but not card numbers - might have been susceptible to intercept. But it would have been very unlikely.

As they were encrypted, card details would not have been exposed from the error - so unique card numbers per transaction wouldn’t have mitigated this particular risk.

(That’s not to say they’re not a good idea, just that they wouldn’t have mattered in this scenario).

Fairy snuff!

They were in hot water a few days ago…

Glad I refuse to have anything to do with them!

I wish I could say the same. I don’t really watch TV myself but my wife loves it so unfortunately we need a licence. After swapping all my direct debits over to Monzo as well, I’ve had the pleasure of having to use battle with their website.

Netflix, amazon prime, youtube, nowtv, plex.

No need for anything else!

I had this email today and I was quite annoyed. Mainly because there is still a relaxed approach for many companies when it comes to security. I know it wasn’t my card details but my account number, sort code, address and date of birth may have been passed over an insecure connection, at least with a card number I can cancel a card.

Anyway i raised a complaint so will see what they come back with.

The companies normally offer some sort of free identity monitoring service when these things happen. I’m suprised they haven’t offered anything like this to affected customers.