British police have arrested a 15-year-old boy in connection with the
suspected hack of London-based telecommunications provider TalkTalk.
TalkTalk has warned that the hack may have resulted in personal data
on up to 4 million subscribers being stolen. The company recently
confirmed that it received a
ransom demand from the alleged hacking group behind the attack.
The
Police Service of Northern Ireland,
together with detectives from the London Metropolitan Police Cybercrime
Unit, arrested the teenager Oct. 26 in County Antrim - north of Belfast
- on suspicion of violating the Computer Misuse Act. He is currently
being questioned as part of what authorities say has been a joint
investigation involving the Met police, PSNI's Cybercrime Center as well
as the U.K. National Crime Agency.
"We know this has been a worrying time for customers and we are
grateful for the swift response and hard work of the police. We will
continue to assist with the ongoing investigation," TalkTalk said in a
statement. "We take the security of your data very seriously."
But the company, which has admitted this year to suffering three
separate breaches since late 2014, was already facing sharp questions
about the state of its information security defenses. Those questions
have intensified in the wake of a report that TalkTalk was breached
using a simple SQL injection attack (see
TalkTalk Breach Fuels Call for Tougher UK Laws).
"Anyone building a business website who has not learnt about how to
protect against SQL injection attacks probably needs to go back to the
classroom," says U.K. security expert
Graham Cluley in a blog post.
Indeed, if TalkTalk was breached by a teenager, it's going to be
difficult for the company - which earned 2014 gross revenues of £1.7
billion ($2.65 billion) - to claim that it takes security seriously,
says University of Surrey computer science professor Alan Woodward,
who's a cybersecurity advisor to the association of European police
agencies known as Europol.
