Exposed: UK’s TV Licence agency fails to secure customers bank details & data

After a Twitter spat, where multiple heavy-weight InfoSec pros, including Scott Helme and Troy Hunt, clearly exposed the UK’s TV licensing agency insecure handling of data. The publicly funded organisation (after some denial) had to shut down their website for some much-needed maintenance to fix the issue.

Originally discovered by self-proclaimed ‘naughty SEO’ Mark Cook when updating his TV licence, he discovered that the agency was delivering & receiving data un-encrypted. It all started when Google Chrome released version 68, providing users with the information of whether a website has an ‘unsecure’ network. The HTTPS protocol uses a cipher to disguise the messages so that it cannot be read if intercepted, HTTP, on the other hand, doesn’t attempt to disguise the traffic. As the UK’s National Cyber Security Centre advises, all websites should use HTTPS “even if they don’t include private content, sign-in pages, or credit card details.”[1]

With 27 million people in the UK owning a television in 2018[2] and as a matter of law required to purchase a TV license. Securing customer’s data submitted through the website is a matter of importance in terms of public security. Even though the website labelled itself as “secure” chrome was quick to identify that it was not safely encrypting some traffic and data.

So how un-secure was the TV Licensing website?

The TV licensing website was available in both HTTP and HTTPS. However, the TV licensing website was directing customers from search engines and within the site, directly to the unsecure HTTP version of the site. When setting up and applying for a TV license there are three main steps. The first is “About the TV License holder” where you give personal details about yourself, including your email address. The second is “address to be licensed”, self-explanatory, and lastly entering your card or direct debit details.  As Cook identified, every single step could be set up on HTTP, an unsecured network. This means that all personal details including bank account numbers and sort codes could have been intercepted by a hacker. Thankfully, in this case, credit and debit card details were redirected to a HTTPS page through a third-party bank provider.  

Source: Mark Cook's Blog

Source: Mark Cook’s Blog

Source: Mark Cook’s Blog

Source: Mark Cook’s Blog

The Norwich-based Director contacted the TV Licencing Twitter account, following his discovery, where they stated:

It gets worse, after some probing, someone from the social media team at TV licensing ‘assured’ Cook that their website was secure. What way did they do this? Sending him a link to another unsecured web page talking about their ‘secured network’ of course.

Source: Mark Cook’s Blog

Hosting a website on HTTP is like advertising free data for hackers, so what does this really mean for people and their data?

The TV licensing agency – through hosting an unsecure website enabled the potential for hackers to snoop and steal information from their customers. A hacker with your personal details can set up bank and credit cards, take out loans, intercept refunds, open accounts, and much more.

Even a hacker lifting just an email address and name from the site could give them enough to set up a pretty convincing phishing email after signing up.

After some bashing on Twitter, on the 5th September, the TV Licensing website was taken down for some ‘planned maintenance’. The TV Licensing website has now added to their FAQ’s why their website was temporarily unavailable. They have stated that there is no evidence of a data breach, however, recognise that customer data was not properly protected. Following some effective security public shaming, the TV licensing website has now migrated all their pages to HTTPS.

Will we ever know the full extent of what was compromised on the TV Licensing website? Probably not. Is it more secure? At least, yes.

Have you recently renewed or purchased a TV License?

The TV Licensing website has advised customers that although the risk is low, customers should as a precaution, check bank accounts to ensure there are no transactions which have not been authorised. As well as, checking direct debits to ensure they haven’t been amended in any way. If you detect any suspicious activity on your account, you should contact your bank or building society urgently.

2019-02-19T09:50:22+00:00By |Categories: Cyber Security|

Request a Callback

First Name*
Last name*
Company Email*
Company name*
Your role

Contact Information

Phone: 01273 007 080