Pages

Saturday, 8 September 2018

TV Licensing Security Flaws: Questions and Answers


In response to the recent exposure of security flaws in the TV Licensing website, the BBC's revenue generation bullies have published a series of questions and answers in an effort to reassure customers.

TV Licensing as an organisation is habitually dishonest, so we have no way of confirming the accuracy of TV Licensing's comments below. When this latest issue was brought to its attention, TV Licensing published the falsehood that "all is well" with the website.

Despite its false denials of a few days ago, TV Licensing now admits that transactions carried out on its website between 29 August and 5 September "were not as secure as they should have been". As TV licences are normally renewed at the month end, there are potentially hundreds of thousands of TV Licensing customers that have inputted sensitive personal data into the website during that week-long window.

We also reiterate our comments from yesterday that concerns about the security of the TV Licensing website have been raised on several previous occasions, some of which were months ago. There is no way of knowing the impact of TV Licensing ignorance and inaction on the security of customer personal data in the intervening months.
______
Q: Why has TV Licensing’s website been unavailable?
A: We were recently alerted to an issue with our website’s security following a technical update. We took the site down straight away so that we could fix it.

We take the security of our customer’s data very seriously. That’s why it’s our normal practice that when our customers make payments or send us financial or other personal details through our website, the data is encrypted to keep it safe.

Q: What happened?
A: While there is no evidence that our website has been subject to any sort of attack or that the security of our customers’ data has been compromised, we recently discovered that for a limited period - from 29 August until around 3.20pm on 5 September 2018 - some transactions carried out on the website were not as secure as they should have been.

Q: What details were affected?
A: This issue did not affect debit and credit card details but it may have affected customers’ personal details such as name, address and email or, if customers entered bank details, the sort code and account number. In some cases, this information was not encrypted when it was transmitted from the customer’s computer.

Q: What did TV Licensing do?
A: As soon as we discovered this issue we took the website offline and fixed it. We’re really sorry this happened, but want to assure you that the risk to you is low and we’ve taken action to ensure it doesn’t happen again.

Q: What is the risk of data being misused?
A: We believe the risk of anyone else having seen information sent through to our website during that period is extremely low but, because we take a very cautious approach, we want to tell our customers what happened and recommend precautions customers can take to protect themselves.

Q: What is the likelihood that I have been affected?
A: Customers may have been affected if they visited the TV Licensing website from 29 August until around 3.20pm on 5 September 2018 and entered personal data into the website. The risk of customers having their data accessed is very low, and we are not aware of anyone’s data being obtained.

Q: What personal data of mine could have been at risk?
A: During this limited period, customer transactions using debit and credit cards were still encrypted. However, if the HTTP version of a web page was being used, personal data such as customers’ names, addresses, bank details (sort code and account number) given to us - for example, to set up or amend a Direct Debit - were not encrypted. There is no evidence of the website being subject to any sort of attack, or anyone having acted maliciously and the chances of anyone having accessed this information are very small.

Q: Under what circumstances would my personal data have been at risk?
A: In order to access your data, someone would need to have been aware the vulnerability existed, and also have been in a position to have been intercepting network traffic between your computer and the TV Licensing web servers at the time the transaction took place.

Q: I gave my personal details to TV Licensing over the phone during this period. Is there a chance I will be affected?
A: If you gave us personal details, including bank details, over the phone, these will have been kept securely.

Q: I’m concerned, what should I do?
A: As a precaution, we would suggest that you check your bank account to ensure there are no transactions which have not been authorised and check that direct debits haven’t been amended in any way. If you detect any suspicious activity on your account, you should contact your bank or building society urgently. If you have any further questions, you should contact TV Licensing on 0300 790 6035.

Q: What else can I do to protect myself?
A: If you want to check that communications from TV Licensing are genuine, you can find more information here:

Other organisations can offer general advice such as Action Fraud:


Q: What action has TV Licensing taken? Can I trust them to keep my personal data safe?
A: As soon as we discovered this issue, we took the website offline to urgently fix it. The website has been restored with full security and all transactions are now encrypted again under HTTPS. We’ve urgently investigated and have established the root cause so we can ensure it doesn’t happen again. Additionally, we’re contacting all customers urgently who we believe submitted their bank details during this period.

Q: Was the website hacked or attacked?
A: There is no evidence of the website being subject to any sort of attack, or that anyone has acted maliciously. The chances of anyone having accessed this information are very small and we have found no evidence this has happened.

Q: Are you contacting customers who completed transactions on the TV Licensing website during this period?
A: We’re contacting all customers urgently who we believe submitted their bank details during this period.

Q: Why haven’t you contacted me?
A: If you made a transaction during this time and haven’t heard from us, or have any further questions, then please contact us on 0300 790 6035.

Q: Will TV Licensing compensate me if I have suffered financial loss as a result of my personal data being compromised?
A: The risk of financial loss is very low. But yes, of course we will compensate you if you have been affected.

Q: Is this site now secure?
A: Yes. This site is fully secure and we now use HTTPS across the entire website. Whenever data such as debit or credit card or bank account details are sent or received on this site they are kept secure through encryption (we use the 128-bit secure sockets layer, or SSL, standard). This means that no third party can access this data.

This safeguards you when you transact on our website, e.g. when you apply for a new licence, renew an existing licence, view your TV Licence details online or update your details.

1 comment:

  1. One thing that is concerning is the processing of TV Licensing data in Mumbai, India. This is carried out with the blessing of the BBC. The Over 75's Licences are processed there. Although it is probably no more prone to criminality than anywhere else, India is associated with many call-centre scams where people are phoned up by scammers purporting to be working for genuine companies and are tricked into handing out their information. I wonder if BBC Licence holders knew thast their personal data was processed outside of the UK, would they agree to it?

    ReplyDelete

Thank you for making a comment. We love to hear your opinion on what we write, be it positive or negative. Unfortunately, due to previous abuse of our comment system, it is necessary for us to approve each comment before it is published. We will only approve comments that are well composed. Please only enter your comment once and wait patiently while we approve it. Finally, apologies for Blogger's horrible Captcha!