UK arrests teenager in connection with TalkTalk hack

TalkTalk continues to deal with the fallout from its third data breach this year

U.K. police arrested a 15-year-old boy in Northern Ireland on Monday in connection with the data breach at TalkTalk, as the broadband and phone provider faces growing criticism over its handling of the incident.

The teenager, detained in Country Antrim, could face charges under the Computer Misuse Act, the Metropolitan Police said.

TalkTalk's website was breached on Oct. 21, resulting in the loss of customer names, addresses, birth dates, email addresses, phone numbers, account information, payment card and bank account details.

CEO Dido Harding said she was personally contacted by someone claiming to be the hacker who demanded money, according to The Guardian.

Harding has come under harsh criticism for allegedly not shoring up the company's security. The latest data breach is the third one suffered by TalkTalk this year.

In February, the company said scammers had approached some customers, quoting their TalkTalk account numbers and phone numbers. The data had likely been illegally accessed, according to a statement. In August, TalkTalk's mobile sales site was hit, the BBC reported.

But the latest data breach could be the worst. Some of the data obtained was not encrypted, TalkTalk said in a FAQ. The payment card details, however, may be harder for criminals to monetize since some numbers were obscured.

In a video posted Monday, Harding contended that cybercriminals would not be able to use information such as bank sort codes and account numbers that were exposed for fraud.

"Without more information, criminals can't use these to take money from your bank account," she said.

Harding's assessment is accurate. But cybercriminals often assemble that kind of information into broader dossiers on people for identity theft-related schemes.

The company's website has remained down since the attack.

TalkTalk maintains it has not violated the U.K.'s Data Protection Act, which is a set of principles dictating how companies are allowed to use data. The act mandates that organizations are required to protect data to prevent disclosure but does not make specific prescriptions of what technology to use.

Encryption is generally recommended for sensitive data such as customer information. Even if data is obtained by hackers, it would be difficult or impossible to read without the decryption key, which should be closely guarded.

The Information Commissioner's Office, the U.K.'s data protection watchdog, said it was aware of the latest incident and is working with the police.

Shortly after TalkTalk's breach, a message was posted on Pastebin purporting to be from the hackers. A sample of data was posted, although the post has now been removed by Pastebin.

Harding made another error during a BBC interview in which she said TalkTalk was notifying its customers by email. She was asked how customers would be able to tell if that email indeed came from TalkTalk.

"If you are nervous and suspicious, have a look at the header of the email and you will see the email address that it has come from," Harding said.

The sender address on an email can be easily faked. Such a deception might be obvious to more astute technologists but would likely fool most people.

Cybercriminals are known to use stolen email databases for phishing or other illegal activity, crafting believable messages that can trick people into downloading malware or revealing more personal information.

But it's also possible other scammers who don't have access to the email list could send out random scam emails in hopes some are actually TalkTalk customers.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?