There’s been a lot of strange developments in the days since last week’s cyberattack on UK telecom TalkTalk, in which an unknown number of customers may have had their personal data accessed.
First up, the criminal investigation is progressing: the Metropolitan Police announced on Monday, 26 October, that a 15-year-old boy has been arrested “on suspicion of Computer Misuse Act offenses” in connection with the breach.
The boy was taken into custody after being arrested Monday at an address in Antrim County, Northern Ireland, and the address was being searched, according to a statement.
The news of the arrest comes after days of conflicting reports about who was behind the attack.
The BBC initially reported that a “Russian Islamist group” had claimed responsibility for the attack; and on Monday, Motherboard reported that a member of the (defunct) hacktivist group LulzSec claimed responsibility for a distributed denial of service (DDoS) attack on TalkTalk’s website.
Security blogger Brian Krebs, citing sources “close to the investigation,” reported that a hacker group had demanded a ransom of £80,000 in bitcoins (about $122,000) in exchange for a stolen cache of customer data.
Krebs also reported that a user named “Courvoisier” had posted on a Dark Web forum called AlphaBay that he would be selling “hacked TalkTalk customer data.” (Update: Krebs reported that the data had been promised but not yet sold, as we previously wrote).
TalkTalk CEO Dido Harding is doing a lot of talking to the media, and in a video on the TalkTalk website she says she is “sorry for the frustration and concern that this is causing.”
Harding said on Saturday that the number of people affected in the breach was “materially lower” than first thought – certainly less than all of the company’s 4 million customers.
Meanwhile, TalkTalk’s FAQ about the incident says it’s still “too early” in the investigation to know how many people were affected.
TalkTalk is taking a lot of flak at the moment, some of it justifiable, which Harding acknowledged in an interview with The Guardian:
We are understandably the punchball for everybody wanting to make a point at the moment. Nobody is perfect. God knows, we’ve just demonstrated that our website security wasn't perfect – I'm not going to pretend it is – but we take it incredibly seriously.
But the embattled CEO has also made some puzzling comments.
After it was pointed out that an IT security specialist revealed numerous security weaknesses in TalkTalk’s website last year, she responded by saying that TalkTalk’s security is “head and shoulders better than some of our competitors.”
The security specialist, Paul Moore, wrote in a blog post last September that representatives from the TalkTalk CEO’s office were “aggressive, defensive and dismissive” when he pointed out that the company’s My Account website and webmail service did not use TLS/SSL encryption.
Harding also said in an interview that TalkTalk did not encrypt customer financial information but was “not legally required” to do so – because the UK’s 1998 Data Protection Act does not explicitly require encryption.
Of course, if Krebs’s claims are true, and the data was extracted using what’s known as SQL injection – where an outsider tricks a database into serving up unencrypted data – encryption might not have been enough to prevent the breach in this case.
So far, however, all that we know is that we don’t yet know what happened…