TalkTalk has insisted it had adequate security in place as it downplays the seriousness of the breach
Police have arrested a 15-year-old boy in Northern Ireland in connection with the TalkTalk cyber-attack, in the first major development since the breach was disclosed last Thursday.
The boy, who has not been named, was arrested in County Antrim on Monday afternoon by officers from the Police Service of Northern Ireland working with detectives from the Metropolitan police’s cybercrime unit (MPCCU), according to police.
He was arrested on suspicion of offences under the Computer Misuse Act and taken for questioning to a County Antrim police station, police said, adding that a search of the teenager’s address is underway.
“We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police,” TalkTalk said in a statement. “We will continue to assist with the ongoing investigation.”
Also on Monday culture minister Ed Vaizey told the House of Commons an inquiry into the hack is to be launched by Jesse Norman, chair of the culture, media and sport select committee, calling the incident “very serious”.
TalkTalk, for its part, has tried to downplay the import of the hack, saying that data such as credit and debit card numbers do not seem to have been compromised, although information such as bank account numbers and sort codes “may have been accessed”.
The company said it would only waive termination fees for customers wishing to switch providers mid-contract “in the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack”.
It specified that this wouldn’t apply in the case, for instance, of customers who lost money to scammers making use of stolen customer data to make their ploys more believable. A number of TalkTalk users have already fallen prey to such scams as a result of past TalkTalk data breaches, according to reports.
“We would like remind customers that banking or other personal details are increasingly being used by criminals as part of phone, email or text scams,” TalkTalk acknowledged.
TalkTalk has insisted it had adequate security in place. The company faces a maximum fine from the Information Commissioner’s Office (ICO) of £500,000 if the breach is found to have resulted from lax practices on TalkTalk’s part.
SQL injection attack
The company has said a distributed denial of service (DDoS) attack was launched against its website to distract from a more serious attack called a SQL injection.
The SQL injection technique allows a successful attacker to request arbitrary data from the database behind the application being attacked, meaning that “it would be prudent to assume that all data kept within the database is now compromised,” said Wim Remes, manager of EMEA strategic services at security firm Rapid7.
He said the tactic of inundating a server with traffic to conceal another attack is “very common”.
“By distracting the target, the attacker buys more time to focus on the assets they are really after,” Remes said. “Organisations can address this by implementing multi-layer monitoring systems.”
Are you a security pro? Try our quiz!