Breach Response , Data Breach , Fraud

TalkTalk Hack: UK Police Bust Teenage Suspect

15-Year Old Arrested in Northern Ireland
TalkTalk Hack: UK Police Bust Teenage Suspect

British police have arrested a 15-year-old boy in connection with the suspected hack of London-based telecommunications provider TalkTalk.

See Also: 2016 Annual Worldwide Infrastructure Security Update

TalkTalk has warned that the hack may have resulted in personal data on up to 4 million subscribers being stolen. The company recently confirmed that it received a ransom demand from the alleged hacking group behind the attack.

The Police Service of Northern Ireland, together with detectives from the London Metropolitan Police Cybercrime Unit, arrested the teenager Oct. 26 in County Antrim - north of Belfast - on suspicion of violating the Computer Misuse Act. He is currently being questioned as part of what authorities say has been a joint investigation involving the Met police, PSNI's Cybercrime Center as well as the U.K. National Crime Agency.

"We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation," TalkTalk said in a statement. "We take the security of your data very seriously."

But the company, which has admitted this year to suffering three separate breaches since late 2014, was already facing sharp questions about the state of its information security defenses. Those questions have intensified in the wake of a report that TalkTalk was breached using a simple SQL injection attack (see TalkTalk Breach Fuels Call for Tougher UK Laws).

"Anyone building a business website who has not learnt about how to protect against SQL injection attacks probably needs to go back to the classroom," says U.K. security expert Graham Cluley in a blog post.

Indeed, if TalkTalk was breached by a teenager, it's going to be difficult for the company - which earned 2014 gross revenue of £1.7 billion ($2.65 billion) - to claim that it takes security seriously, says University of Surrey computer science professor Alan Woodward, who's a cybersecurity adviser to the association of European police agencies known as Europol.

In the wake of the breach, some British public officials and security experts have already been calling on legislators to strengthen the country's consumer protection laws and give regulators the ability to levy heavier fines against organizations with poor information security practices.

TalkTalk Stock Slides

With the company's stock price taking a hit following the breach, TalkTalk has already gone into damage control mode, especially in the wake of reports that some customers believed that their TalkTalk information had been used to commit fraud. But TalkTalk CEO Didi Harding took to YouTube Oct. 26, telling customers that the information stolen via the breach could be used to for social engineering purposes - in other words, phone and email scams - but not to directly commit fraud. "Sensitive financial information - i.e. credit and debit card numbers - were protected. Bank account numbers and sort codes ... may have been accessed, but without more information criminals can't use these to take money from your bank account," she said.

"I am sorry for the frustration and concern that this is causing," Harding added. "We're working as hard as we can to keep our customers informed as the investigation continues, and will continue to do so."

Social Engineering Attacks

But TalkTalk customers were already being targeted by scammers, following a breach - or series of breaches - that occurred in 2014. In February, TalkTalk admitted that attackers were using the stolen information - including account numbers, names and contact information - to run social-engineering attacks against its customers (see U.K. Telco Confirms Data Breach).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network