TalkTalk has warned that the hack may have resulted in personal data on up to 4 million subscribers being stolen. The company recently confirmed that it received a ransom demand from the alleged hacking group behind the attack.
The Police Service of Northern Ireland, together with detectives from the London Metropolitan Police Cybercrime Unit, arrested the teenager Oct. 26 in County Antrim - north of Belfast - on suspicion of violating the Computer Misuse Act. He is currently being questioned as part of what authorities say has been a joint investigation involving the Met police, PSNI's Cybercrime Center as well as the U.K. National Crime Agency.
"We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation," TalkTalk said in a statement. "We take the security of your data very seriously."
But the company, which has admitted this year to suffering three separate breaches since late 2014, was already facing sharp questions about the state of its information security defenses. Those questions have intensified in the wake of a report that TalkTalk was breached using a simple SQL injection attack (see TalkTalk Breach Fuels Call for Tougher UK Laws).
"Anyone building a business website who has not learnt about how to protect against SQL injection attacks probably needs to go back to the classroom," says U.K. security expert Graham Cluley in a blog post.
Indeed, if TalkTalk was breached by a teenager, it's going to be difficult for the company - which earned 2014 gross revenues of £1.7 billion ($2.65 billion) - to claim that it takes security seriously, says University of Surrey computer science professor Alan Woodward, who's a cybersecurity advisor to the association of European police agencies known as Europol.
0 comments:
Post a Comment