UK broadband and TV provider TalkTalk says it’s currently investigating claims made on cybercrime forums alleging data from the company was up for grabs.

An individual using the handle “b0nd” laid claim to a batch of data, which they claimed relates to nearly 19 million current and former customers of the British telco.

A TalkTalk’s head of external comms, Liz Holloway, confirmed to The Register that the company was looking into the claims: “We’re aware of these posts, we’re investigating it at the moment.

“We think it relates to an external standalone data platform application that manages a small part of our customer base, but that’s obviously owned and managed by an external third party.”

The investigation is still in the very early stages and the third-party supplier wasn’t identified, but it’s understood the platform in question doesn’t store billing details or any other sensitive information of that ilk.

The claims made on b0nd’s forum post include that the break-in occurred earlier this month and that the following data is considered compromised:

• Subscriber PINs
• First and last names
• Email addresses
• Information about customers’ last account access
• IP addresses
• Business and home phone numbers

TalkTalk’s position is that nothing is confirmed until the investigations at the third-party vendor are concluded.

The scale of the alleged data grab is also thought to be in doubt. Factoring in all past and present customers, The Register understands TalkTalk has never amassed as many customers as b0nd claims they have the data of since it launched in 2003. 

The current total is closer to the circa 2.4 million mark and it’s believed the platform in question handles only a subset of that figure.

In addition, TalkTalk offered the following response: “As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system.

“Our security incident response team is continuing to work with the supplier regarding this matter and protective containment steps were taken immediately.

“Our investigations are ongoing, however, we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”

TalkTalk’s current inquiry isn’t thought to be related to its mega-breach just over nine years ago, the one that landed it a £400,000 fine ($497,295 at today’s conversion) from the UK’s ICO – a then-record sum in Blighty’s pre-GDPR times.

Even if b0nd’s lofty claims of an 18.8 million-customer breach did include those affected in October 2015, only 157,000 of those would be related to the company’s biggest security mishap so far, making the quoted figures this week seem even more unlikely. ®