A FIFTH PERSON has been arrested as part of the ongoing investigation into the TalkTalk cyber attack.
The Metropolitan Police Cyber Crime Unit confirmed on Tuesday that it had cuffed an 18-year-old man from Llanelli, South Wales on suspicion of blackmail relating to the TalkTalk hack.
A 15-year-old from County Antrim in Northern Ireland was the first to be questioned by police under the Computer Misuse Act. Three others were also arrested: a 15-year-old from Norfolk, a 16-year-old from west London and a 20-year-old man from Staffordshire. All are currently on police bail.
One of the suspects has started legal proceedings against three national newspapers and two search companies for failing to protect his privacy.
The Daily Mail, The Telegraph and The Sun have all received writs, citing negligence, misuse of private information, defamation, breach of confidence and data protection, while an injunction has been put on Google and Twitter to ensure that any details of the person's name, location and physical characteristics are removed from the interwebs.
The exact form of the update has yet to be clarified, but it could involve a speed-boost, free calls or the addition of a premium TV channel such as Sky Sports. The company estimates that this, along with other costs directly related to the hack, could reach £35m by the time we've all finally forgotten.
TalkTalk lost a third of its value in the wake of the hack, which analysts have suggested could leave it wide open to a takeover by other quad-play providers. The company originally came out of Carphone Warehouse in 2003 before being demerged in 2010 to become one of the biggest LLU telecoms providers in the UK.
The high-profile cyber attack, which began on 21 October, appears to have been the result of a heist masked by a distributed denial-of-service attack (DDoS).
Some 28,000 credit and debit card details were stolen, 15,656 bank account numbers and sort codes were accessed, and around 15,000 dates of birth were also pinched.
This adds to the 1.2 million email addresses, names and phone numbers that were also taken. The credit and debit card details were partially obscured and are of no use for financial transactions, but the 15,656 bank account details could be used in cyber theft.
Additionally, telephone phishing attacks using TalkTalk data to trick customers into giving up more sensitive credentials has been reported, but this is TalkTalk's fourth breach in 12 months, and it is thought that the vast majority of these con-attacks were from previous data thefts.
TalkTalk Boss Dido Harding came under fire last month for saying in an interview that her company had broken no laws by failing to encrypt data. She told The Sunday Times (paywalled) that her company's data "wasn't encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing financial information."
The company has brought in hacking experts from BAE to assess the damage and independently confirm the risks to customers. One police chief has likened the attack to the Great Train Robbery in terms of scale, suggesting that TalkTalk will remain a target for years to come.
There are increasing voices pointing out that TalkTalk, after being targeted several times this year, is not meeting its obligations in terms of protecting its subscribers. The company admitted in February that it was working with the Information Commissioner's Office to curb the series of fake tech support calls aimed specifically at TalkTalk customers
High Tech Bridge, which offers testing of SSL and TLS encryption verifications, confirmed that several aspects of TalkTalk's security, including its cipher suites and certificates, don't conform to Payment Card Industry Data Security Standard and US National Institute of Standards and Technology guidelines, which doesn't exactly make it a sitting duck, but possibly a sluggish poussin.
Greg Aligiannis, senior director of security at Echoworx, added: "The most concerning revelation from today’s news is the blasé approach to encrypting customer data. Security of sensitive information must be considered a priority by everyone, especially when the life histories of potentially millions of customers are at risk.
"Encryption applied to email and other data lets organisations stay one step ahead if and when a security lapse occurs. It automatically applies policy to stop data leaks before they start, which is especially important now that cyber criminals are developing increasingly sophisticated tactics to infiltrate corporate networks.
"One might question why TalkTalk hasn’t employed encrypted email to transmit or request sensitive information to and from its customer base in light of recent phishing scams."
DDoS attacks are a daily occurrence, but this one is proving particularly significant because of the amount of data that is at risk and the high-profile status of TalkTalk in the broadband market. The company is consistently mentioned by Ofcom in the regulator's most complained about ISPs list.
The future of TalkTalk and its bullish CEO remain in the balance. The company share price has dropped by a third in the wake of the hack. µ
Looks like someone pressed the wrong button on the routing machine
Half-Life 3 VR anyone
Whilst some old favourites graduate to the main browser