TalkTalk Breach: Third Suspect ArrestedVodafone Also Warns of Breach Because of Reused Passwords
British police have arrested a third suspect in connection with the hack attack against London-based telecommunications provider TalkTalk, which now says that its data breach appears to have exposed details for up to 1.2 million customers, rather than 4 million (see TalkTalk Hack: U.K. Police Bust Teenage Suspect).
See Also: The Global State of Online Digital Trust
The 20-year-old man was arrested Oct. 31 in Staffordshire, England, on suspicion of violating the Computer Misuse Act, by detectives from London's Metropolitan Police Cybercrime Unit and officers from the National Crime Agency. The man has been released on bailed until March 2016, when he's due to face related charges in court.
That followed the Oct. 29 arrest of a 16-year-old boy in Feltham - near London - on suspicion of violating the Computer Misuse Act. He has also been released on bail until an as-yet-unconfirmed court date. A third suspect in the case, a 15-year-old boy arrested last week in Northern Ireland, has also been released pending a court appearance later this month.
The Met Police say their related investigation into the "significant and sustained" Oct. 21 attack on TalkTalk's website remains ongoing and is being conducted with the Police Service of Northern Ireland and the U.K. National Crime Agency, and that TalkTalk executives have been cooperating fully. "TalkTalk [leaders] have done everything right in bringing this matter to our attention as soon as possible," says Jayne Snelgrove, a detective superintendent with the Metropolitan Police Cyber Crime Unit. "Our success relies on businesses being open with us and each other about the threats they encounter."
The U.K. Information Commissioner's Office, which enforces the country's data-protection laws, has also confirmed that it was notified by TalkTalk of the breach on Oct. 22.
Vodafone Issues Breach Alert
Separately, mobile phone provider Vodafone UK warned Oct. 31 that it had suffered an attack from Oct. 28 to 29 that appeared to compromise information relating to 1,827 customers. The company says it informed the ICO and National Crime Agency Oct. 30 about the breach of customer data, which includes customers' names, mobile telephone numbers, bank sort codes and the last four digits of their bank account numbers.
Vodafone says it traced the breach to customers who had reused passwords across different sites (see Why Are We So Stupid About Passwords?). "This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone," the company says in a statement. "Vodafone's systems were not compromised or breached in any way."
TalkTalk Breach Less Severe Than Feared
TalkTalk, which sells mobile phone, broadband and TV subscriptions, is now reporting that its breach did not involve 4 million customer records, as it first suspected. As of Oct. 30, TalkTalk says that personal information accessed by the attackers included as many as:
- 1.2 million customer email addresses, names and phone numbers;
- 28,000 obscured credit and debit card details - although the middle 6 digits had been tokenized, i.e. removed;
- 21,000 unique bank account numbers and sort codes;
- 15,000 customer dates of birth.
"We can confirm that the scale of attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened and our investigation is still on going," TalkTalk CEO Dido Harding says. The company has advised all customers to change their account passwords, once it restores online access.
Harding says that on Oct. 30, TalkTalk began directly notifying all affected customers, and reiterated that the stolen information cannot be used for financial transactions, although TalkTalk has also shared details of stolen bank account details with U.K. banks. "On behalf of everyone at TalkTalk, I would like to apologize to all our customers," Harding says. "We know that we need to work hard to earn back your trust and everyone here is committed to doing that."
The company is also offering 12 months of prepaid credit monitoring alerts from U.K. credit reference agency Noddle to all breach victims. TalkTalk says that it will not reimburse any losses or costs that arise from the stolen customer data.
Action Fraud - the U.K.'s national fraud and cybercrime reporting center - has warned all potential TalkTalk breach victims to beware related scams, and noted that TalkTalk will never contact customers to request their bank details, ask them to download software or ask for people's full account passwords.
Some British legislators have promised to launch an inquiry into the breach. Culture minister Ed Vaizey, who's in charge of the government's digital agenda, recently said in Parliament that he might support mandatory encryption for all stored customer data.
"In many cases, businesses set out extremely detailed terms and conditions, but the idea that they are consumer-friendly is wide of the mark," he told Parliament Oct. 26, and said he might propose some type of program "to denote companies that have robust cyber-security procedures in place."
TalkTalk Victims Seek Compensation
The TalkTalk and Vodafone breaches follow U.K.-based mobile phone retailer Carphone Warehouse in August warning that it suffered a data breach that may have exposed personal information associated with up to 2.4 million customers.
But criticism of TalkTalk has been mounting in the wake of the company acknowledging that it has suffered three breaches in less than a year. The company reportedly has declined to accept any liability or pay any compensation to thousands of people who claim to have each been defrauded by up to Â£5,000 pounds ($7,700) after fraudsters stole their personal data from TalkTalk in a November 2014 breach. In February, TalkTalk confirmed that scammers had been using the stolen data - including customers' names, contact information and TalkTalk account numbers - to run social engineering attacks against its customers (see U.K. Telco Confirms Data Breach).
"There are a group of victims who have all lost thousands of pounds who feel very let down: by TalkTalk, the banks and the other institutions," Graeme Smith, who lost Â£2,815 ($4,360) after being called by fraudsters who pretended to be TalkTalk support staff, tells the Guardian.
The Information Commissioner's Office says its related investigation remains ongoing. "Our investigations into previous incidents are ongoing, and it wouldn't be appropriate to presume a company had breached the Data Protection Act until our inquiries are complete," a spokesman tells Information Security Media Group. "But what is clear is that organizations do need to make sure they have the appropriate level of security in place to protect the customer information they hold. If they don't, we will act."