Second teenager arrested in TalkTalk “breach” – but what was the motive?

There’s now yet more mystery in the recent TalkTalk “breach” case.

TalkTalk is a UK communications company that admitted, about a week ago, that its website had suffered a “significant and sustained cyber attack.”

Unfortunately, if all you know is that Something Bad Happened, it’s often very hard to pin down exactly what that Something was.

Did the attackers want only to knock you off the air?

If so, was it revenge for a perceived grievance?

Was it to soften you up for blackmail, where the crooks contact you and say, “Pay protection money, or next time will be worse?”

Was it a smokescreen for other criminal activity, with a Denial of Service (DoS) attack used to divert attention from a more targeted break-in?

Or was it maybe, just maybe, to give the attackers some disturbingly perverse fun – “for the lulz,” as they say?

The arrests so far

On Monday this week, UK police announced that a suspect in the attack had been arrested: a 15-year-old boy from Northern Ireland.

Now, according to the BBC, a 16-year-old male from London is the second suspect to have his collar felt.

Both suspects are now out on bail. (We can’t tell you who they are on account of their ages.)

What happened?

TalkTalk’s website confirms that the company is still [2015-10-30T12:00Z] trying “to establish exactly what happened and whether any of your individual information has been accessed.”

So it’s possible that this attack, even though it has already widely been reported as a breach, might turn out to be no such thing, with no personal information accessed illegally at all.

But there is also a chance, as TalkTalk is openly admitting, that:

Some of the following data may have been accessed:

* Names
* Addresses
* Dates of birth
* Email addresses
* Telephone numbers
* TalkTalk account information
* Credit and debit card details and/or bank details

TalkTalk says that credit or debit card numbers were stored with six of their 16 digits blocked out, which makes the data as good as useless to crooks.

But the company isn’t saying how it stores your bank details, if you provided them, although it did tell a reporter at The Register that it doesn’t bother with encryption.

Encryption alone might not have helped on this case, for example if data was stolen by interrogating an insecure database server that was set up to be able to decrypt that data on demand.

But the complete absence of encryption, whether allowable from a legalistic point of view or not, represents what one Naked Security commenter called “a pattern of disinterest in securing entry points.”

What next?

It’s tempting to assume, given that the arrests so far are of under-age youngsters, that this will end up being a case of “we did it for the lulz” rather than “we were after the money.”

But numerous youngsters were snared recently in the UK on suspicion of buying Denial of Service (DoS) tools online using Bitcoin.

They allegedly went on to attack a leading national newspaper, a school, gaming companies and a number of online retailers.

That certainly sounds a like a lot more than “for the lulz”…

…but even it it were, it’s far away from amusing.