Dido Harding may wish TalkTalk had been hacked by Russian Islamists after all. A 15-year-old boy has been arrested in Northern Ireland in connection with the cyber attack that has seen the telecoms company’s shares and reputation take a beating since it came to light last week.
The boy was arrested yesterday on suspicion of offences under the Computer Misuse Act and a house in County Antrim is being searched. Clearly, there’s no confirmation yet the police have got their guy, but investors were nonetheless relieved: the company’s shares have risen more than 9% this morning to around 245.6p, having dropped almost 13% yesterday.
Relief aside, the possibility that its website was compromised by a teenager is pretty embarrassing for TalkTalk (although if he is responsible, he’ll probably still have companies and government agencies queueing up for his services - even if he did nick the idea of Russian Islamist cyber-terrorists straight out of a Jack Bauer plotline). It's even more cringeworthy given that the attack was reportedly a relatively run-of-the mill SQL injection (malicious code that tricks a system into allowing its data to be downloaded) - which Harding mistakenly called a 'sequential attack'.
‘This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe,’ Wim Remes, a manager at cyber security firm Rapid7, told tech site The Register. ‘While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place.’
TalkTalk have done their best to be open about the hack, but potentially being compromised by a teenager and not even getting your terminology right suggests a pretty low level of concern for cyber security, which, as this latest indicdent shows, has increasingly proven to be critical for businesses.
On the other hand, the attack wasn’t as bad as previously thought, TalkTalk has said. Any credit details leaked were ‘partial’ (i.e. with some numbers replaced by Xs) and bank details by themselves won’t be enough to steal customers’ money, chief executive Harding, pictured above, told Sky News at the weekend.
Nonetheless, if all the data has found its way onto the internet, customers will be at risk of being tricked by spam callers pretending to be from TalkTalk into giving up the rest of their details. Harding also raised eyebrows on Sunday when she claimed companies weren’t legally obliged to encrypt customers’ sensitive data.
The telco risks looking even more uncaring, as it continues to insist that exit penalties for customers that want to leave their contract early will only be waived ‘in the unlikely event’ that their money is stolen as a result of this hack. It clearly doesn’t want a mass exodus, but if people end up getting ‘phished’ by spammers they’re unlikely to remain loyal to TalkTalk anyway.