Update The U.K.’s Metropolitan Police Cyber Crime Unit this afternoon arrested a 15-year-old Northern Ireland boy in connection with the TalkTalk hack. The teen is alleged to have violated the Computer Misuse Act, a police statement said. He is being questioned at the County Antrim police station. The Police Service of Northern Ireland (PSNI), MPCCU and the National Crime Agency continue to investigate, in addition to executing a search warrant at the teen’s home.
U.K. telecom TalkTalk, still reeling from a break-in reported last Wednesday, tried to cushion the blow over the weekend by telling those affected that the number of records stolen was smaller than originally thought.
CEO Dido Harding said in a video update posted Sunday to the TalkTalk site that the Metropolitan Police Cyber Crime Unit investigation continues into the hack in which criminals accessed and made off with personal information (names, addresses, dates of birth), email addresses, phone numbers and TalkTalk account data including credit card numbers.
Harding, in an interview with the BBC, said that the attackers had contacted her personally and demanded a ransom (reportedly £80,000 in Bitcoin) to keep them from publishing the stolen data.
“Yes we have been contacted by—and I don’t know if it’s an individual or a group—purporting to be the hacker,” Harding said. “All I can say is that I personally received a contact from someone purporting to be the hacker looking for money.
“The days of stealing data and selling it on the dark web are not as profitable as they used to be,” Harding said. “And I do think you see more cybercriminals wanting to effectively extort companies that hold that data.”
Last Wednesday, the telecom reported that its website had been hacked in a sustained cyberattack, suggesting a DDoS attack. It also said that internal systems were accessed; a number of researchers are speculating that a SQL injection vulnerability on the TalkTalk videos website was exploited. Harding said, however, that TalkTalk does not store unencrypted credit card data on its site, and that the stolen credit card data has the six middle digits “blanked out,” and that the information cannot be used in transactions.
“No [TalkTalk] My Account passwords were stolen and no banking details were taken that you wouldn’t already be sharing when you write a check or give someone so they can pay money into your account,” Harding said.
Researchers at Corero Network Security, meanwhile, said that the DDoS attack could have been a diversionary tactic to keep investigators busy while hackers stolen customer data.
“More frequently, exfiltration of personal data comes on the heels of a DDoS attack, as this activity can be used to map or profile a network’s existing security defenses, pinpointing holes in security or vulnerabilities to exploit,” Dave Larson, CTO at Corero Network Security. “An onslaught of DDoS attack activity follows, distracting IT personnel, overwhelming data logging tools and masking other nefarious attack attempts.”
Security website Krebs on Security, meanwhile, reported that a post to dark web site called AlphaBay said that hacked TalkTalk data would be posted to the site. The person who posted the information, Krebs on Security reports, is a known trader of payment card data and also sells illegal drugs through the site.
TalkTalk’s security has been scrutinized for more than a year. Last October, U.K. security researcher Paul Moore explained TalkTalk’s webmail program severely lacked encryption. TalkTalk eventually updated its site to SSL, but not before Moore disclosed that its registration page lacked HTTPS as did the webmail login page before and after login; it also did not support encryption on incoming mail, he learned.