nito - Fotolia
Police have arrested a 15-year-old boy in County Antrim, Northern Ireland in connection with the hacking of the TalkTalk website.
The hack had sparked fears of a terror attack when TalkTalk received a note claiming responsibility for the attack and demanding ransom.
Business leaders called for urgent action to tackle cyber crime, and shares in the telecoms company fell more than 12% in Monday trading, extending losses incurred when the news broke.
The Metropolitan Police Cyber Crime Unit (MPCCU) arrested the boy on suspicion of Computer Misuse Act offences while executing a search warrant at his home.
Police said the search is continuing and the boy is to be interviewed while in custody at a County Antrim police station.
A police statement said this was a joint investigation involving the Police Service of Northern Ireland (PSNI) cyber crime centre, National Crime Agency (NCA) and detectives from the MPCCU.
TalkTalk said in a statement: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation.
“In the meantime, we advise customers to visit http://talktalk.co.uk/secure for updates and information regarding this incident.”
The police investigation was launched when TalkTalk reported that its website had been hit by a “significant and sustained cyber attack”.
The phone and broadband provider, which has more than four million UK customers, said banking details and personal information could have been accessed.
TalkTalk has engaged BAE Systems to investigate the cyber attack, and the company’s cyber specialists are reportedly analysing “vast quantities” of data to help establish how the breach took place and what information was stolen.
But on the 24 October 2015, TalkTalk downplayed the potential impact of the breach, emphasising that only its website was attacked and not its core systems, which means that only partial credit card numbers were exposed, making them theoretically useless to cyber criminals.
However, the company has come under criticism for not ensuring that all customer data was encrypted, with some customers reportedly planning to sue the company for compensation.
Members of Parliament said an inquiry would be launched into the cyber attack that could have put customers’ details at risk.
Digital economy minister Ed Vaizey told the House of Commons that the government was not against compulsory encryption for firms holding customer data, according to the BBC.
Independent security consultant Graham Cluley said both DDoS and SQL injection attacks are relatively unsophisticated.
“To be at risk from SQL injection attacks, for instance, all you need is a website that has been built in an amateurish fashion that has not correctly sanitised user input.
“Anyone building a business website who has not learnt about how to protect against SQL injection attacks probably needs to go back to the classroom themselves,” he wrote in a blog post.
Read more about data breaches
- Hackers may have accessed the payment card details of up to 3,500 customers, warns finance publisher Dow Jones.
- The HIV clinic data breach comes after repeated warnings in recent years by the ICO about the risk of disclosing personal data through poor email practices.
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches.
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all.