There’s been a lot of strange developments in the days since last week’s cyberattack on UK telecom TalkTalk, which resulted in the theft of vital personal data from an unknown number of TalkTalk customers.

First up, the criminal investigation is progressing: the Metropolitan Police announced on Monday, 26 October, that a 15-year-old boy has been arrested “on suspicion of Computer Misuse Act offenses” in connection with the breach.

The boy was taken into custody after being arrested Monday at an address in Antrim County, Northern Ireland, and the address was being searched, according to a statement.

The news of the arrest comes after days of conflicting reports about who was behind the attack.

The BBC initially reported that a “Russian Islamist group” had claimed responsibility for the attack; and on Monday, Motherboard reported that a member of the (defunct) hacktivist group LulzSec claimed responsibility for a distributed denial of service (DDoS) attack on TalkTalk’s website.

Security blogger Brian Krebs, citing sources “close to the investigation,” reported that a hacker group had demanded a ransom of £80,000 in bitcoins (about $122,000) in exchange for a stolen cache of customer data.

Krebs also reported that TalkTalk customer data was being offered for sale on a Dark Web forum called AlphaBay, and approximately 500 sales of data worth $75,000 had already been transacted.

TalkTalk CEO Dido Harding is doing a lot of talking to the media, and in a video on the TalkTalk website she says she is “sorry for the frustration and concern that this is causing.”

Harding said on Saturday that the number of people affected in the breach was “materially lower” than first thought – certainly less than all of the company’s 4 million customers.

Meanwhile, TalkTalk’s FAQ about the incident says it’s still “too early” in the investigation to know how many people were affected.

TalkTalk is taking a lot of flak at the moment, some of it justifiable, which Harding acknowledged in an interview with The Guardian:

We are understandably the punchball for everybody wanting to make a point at the moment. Nobody is perfect. God knows, we’ve just demonstrated that our website security wasn't perfect – I'm not going to pretend it is – but we take it incredibly seriously.

But the embattled CEO has also made some puzzling comments.

After it was pointed out that an IT security specialist revealed numerous security weaknesses in TalkTalk’s website last year, she responded by saying that TalkTalk’s security is “head and shoulders better than some of our competitors.”

The security specialist, Paul Moore, wrote in a blog post last September that representatives from the TalkTalk CEO’s office were “aggressive, defensive and dismissive” when he pointed out that the company’s My Account website and webmail service did not use TLS/SSL encryption.

Harding also said in an interview that TalkTalk did not encrypt customer financial information but was “not legally required” to do so – because the UK’s 1998 Data Protection Act does not explicitly require encryption.

Even if it’s true that encryption is not specifically required, the law’s requirement that “appropriate technical or organisational measures be taken” to protect against unlawful access to personal data would strongly suggest it.

If, as Harding says, TalkTalk takes security “incredibly seriously,” the legal requirement to use encryption shouldn’t matter – because you can’t credibly protect data without it.

Follow @JohnZorabedian
Follow @NakedSecurity

Image of data leak courtesy of Shutterstock.com.