U.K. police arrested a 15-year-old boy in Northern Ireland on Monday in connection with the data breach at TalkTalk, as the broadband and phone provider faces growing criticism over its handling of the incident.
The teenager, detained in Country Antrim, could face charges under the Computer Misuse Act, the Metropolitan Police said.
TalkTalk’s website was breached on Oct. 21, resulting in the loss of customer names, addresses, birth dates, email addresses, phone numbers, account information, payment card and bank account details.
CEO Dido Harding said she was personally contacted by someone claiming to be the hacker who demanded money, according to The Guardian.
Harding has come under harsh criticism for allegedly not shoring up the company’s security. The latest data breach is the third one suffered by TalkTalk this year.
In February, the company said scammers had approached some customers, quoting their TalkTalk account numbers and phone numbers. The data had likely been illegally accessed, according to a statement. In August, TalkTalk’s mobile sales site was hit, the BBC reported.
But the latest data breach could be the worst. Some of the data obtained was not encrypted, TalkTalk said in a FAQ. The payment card details, however, may be harder for criminals to monetize since some numbers were obscured.
In a video posted Monday, Harding contended that cybercriminals would not be able to use information such as bank sort codes and account numbers that were exposed for fraud.
“Without more information, criminals can’t use these to take money from your bank account,” she said.
Harding’s assessment is accurate. But cybercriminals often assemble that kind of information into broader dossiers on people for identity theft-related schemes.
The company’s website has remained down since the attack.
TalkTalk maintains it has not violated the U.K.’s Data Protection Act, which is a set of principles dictating how companies are allowed to use data. The act mandates that organizations are required to protect data to prevent disclosure but does not make specific prescriptions of what technology to use.
Encryption is generally recommended for sensitive data such as customer information. Even if data is obtained by hackers, it would be difficult or impossible to read without the decryption key, which should be closely guarded.
The Information Commissioner’s Office, the U.K.’s data protection watchdog, said it was aware of the latest incident and is working with the police.
Shortly after TalkTalk’s breach, a message was posted on Pastebin purporting to be from the hackers. A sample of data was posted, although the post has now been removed by Pastebin.
Harding made another error during a BBC interview in which she said TalkTalk was notifying its customers by email. She was asked how customers would be able to tell if that email indeed came from TalkTalk.
“If you are nervous and suspicious, have a look at the header of the email and you will see the email address that it has come from,” Harding said.
The sender address on an email can be easily faked. Such a deception might be obvious to more astute technologists but would likely fool most people.
Cybercriminals are known to use stolen email databases for phishing or other illegal activity, crafting believable messages that can trick people into downloading malware or revealing more personal information.
But it’s also possible other scammers who don’t have access to the email list could send out random scam emails in hopes some are actually TalkTalk customers.