Noticed the following story on the BBC website about 5,000+ complaints to Action Fraud about this scam. However, still nobody putting two and two together that TV licensing are probably leaking these email addresses in the first place.
I recently provided my new address details to the UK's TV licensing agency website . I don't actually need a TV licence, as I only watch some on-demand programmes from Netflix that make me exempt from needing one, so I dutifully made them aware. However, the following day, and every few days after that, I received a phishing email from ''TV licensing''.
Now, it is possible that these two events were completely unconnected, but I think the chances are very to extremely low. My guess is that cyber intruders have installed malware inside the TV licensing network and are siphoning customer details in near real time.
Being a good Internet citizen, I raised a ticket to make them aware. About a week later I had a standard response, saying they knew about these phishing emails and to just delete them. I responded to them again, making them aware I work in the information security business and providing further detail on my suspicions. I even offered to speak to their information security analyst. A few days later, I had a further email from them, telling me to delete the phishing emails, as it was nothing to do with them and effectively telling me I was stupid.
After doing a bit of digging, guess how surprised I was to find they'd already had security issues towards the end of 2018:
Until companies take cybersecurity a bit more seriously, it's the consumers and customers that are at risk. Denying that it is anything to do with them (TV licensing), they're just innocent victims as well, doesn't cut it. I won't make TV licensing aware next time that I don't need a licence from them, as I don't trust that they can keep my details safe. If I needed one, then I'd have no choice but to sign up and put my details at risk of compromise. Companies need to take cybersecurity more seriously, rethink how they respond to reported security incidents and make sure that there are proper reporting mechanism in place. If I see that they report a breach in the future, I'll be sending my emails to the Information Commissioner's Office to prove that they were made aware. It's sad, but fines and bad publicity seem to be the only way to get these companies to take security more seriously.