Police have confirmed an arrest in the TalkTalk data breach, taking a 15 year old from Northern Ireland into custody, as the company defends its decision to not encrypt users' personal data.
TalkTalk
admitted to a massive security breach last week,
its second this year, as a result of what it claimed was a '
significant and sustained cyber attack' by parties unknown. The truth, though, appears to be somewhat less dramatic: blame for the attack is being placed firmly at the feet of a 15 year old from County Antrim, who was arrested late yesterday under suspicion of Computer Misuse Act offences.
'
We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police,' said a TalkTalk spokesperson of the arrest. '
We will continue to assist with the ongoing investigation.'
The company is finding itself in the middle of a public relations storm, however, following the admission that user data, including bank and credit card details, were not encrypted - after first claiming it didn't actually know whether the data was encrypted or not. '
It wasn't encrypted, nor are you legally required to encrypt it,' TalkTalk head Baroness Harding told
The Sunday Times following the attack. '
We have complied with all of our legal obligations in terms of storing of financial information.' That's an argument which doesn't hold water, claimed security expert John Zorabedian of Sophos. '
Even if it's true that encryption is not specifically required, the law's requirement that "appropriate technical or organisational measures be taken" to protect against unlawful access to personal data would strongly suggest it,' he
stated following Baroness Harding's outburst. '
If, as Harding says, TalkTalk takes security "incredibly seriously," the legal requirement to use encryption shouldn't matter - because you can't credibly protect data without it.'
A number of TalkTalk customers have also claimed that their accounts have been emptied of cash by scammers using details from the breach to commit social engineering attacks, with
International Business Times reporting of the case of one customer out £9,000 as a result. Even those not fooled by social engineering attacks are being left out-of-pocket, with the company refusing to waive minimum contract periods and termination fees for those who wish to shift their business elsewhere as a result of the company's terrible attitude towards information security.
It is not currently known whether the arrested individual is related to claims of a
ransom demand from TalkTalk, or was working alone.
Want to comment? Please log in.