Rawpixel - Fotolia
Police arrested a 15-year-old boy in County Antrim, Northern Ireland on Monday in connection with the hacking of TalkTalk’s website.
TalkTalk has received scathing criticism from both the media and security experts over its mediocre security practices.
The hack initially sparked fears of a sophisticated terror attack when TalkTalk received a ransom demand; however, it quickly emerged that the website had been targeted by a distributed denial of service (DDoS) and SQL-injection attack, both fairly rudimentary in nature and easy to defend against. News of the 15 year old’s arrest has only served to emphasise the weaknesses in the ISP’s security measures.
The boy has since been released on bail pending further investigation.
Experts from BAE System’s Applied Intelligence division have been drafted in by TalkTalk to help with an internal investigation of what went wrong.
It’s not just the hack itself which has received criticism, but TalkTalk’s handling of the situation in the days that followed. Initially, the broadband provider said that it had been ‘hit by a ‘significant and sustained cyber attack’ and warned that banking details and personal information may have been accessed.
On Friday, TalkTalk confirmed that it had received a ransom by a person or group purporting to be responsible for the hack. Citing sources ‘close to the investigation’, security blogger Brian Krebs reported that the hacker/s had demanded a ransom of £80,000 in bitcoins.
Over the weekend, TalkTalk attempted to redact some of its doomy rhetoric by telling customers that the data breach was not as bad as it had first feared. It emerged that while personal information and bank details may have been accessed, credit and debit card numbers were partially hidden and so could not be used for transactions.
CEO Dido Harding then made a series of well-executed blunders, telling the Sunday Times that her company was under no legal obligation to encrypt customer data, causing a severe backlash.
“[Our data] wasn't encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information," she said.
When it came to the impact on TalkTalk Business customers, the official line has also evolved over a period of days. Bosses had managed to successfully deflect questions surrounding the business division but three days ago, a new post was published on the company’s website stating that ‘current and previous small business customers who transacted online’ may have been affected.
A TalkTalk spokesperson told MicroScope that most of those affected have now been contacted.
"We know that some TalkTalk Business customers have been affected, and we emailed those we thought might have been last week, along with all our consumer customers," said the spokesperson, adding: "We think we're nearly there in terms of identifying those definitely affected, but not sure when we'll be able to give an update."
All business customers are invited to take advantage of the free 12-month credit monitoring service on offer.
“We'd like to reassure customers that we take the security of your data very seriously,” the the website says, mirroring the official statement made when news of the attack first went public. “ We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect them as best we can against similar attacks in future.”
Stock fell by a further 12% on Monday, extending last week’s losses, but have seen a strong rebound on the back of news of the arrest. Shares are currently trading at 258 pence.