Information about the data breach at UK telecom group TalkTalk has continued to drip out since the company announced a “cyberattack” on its website (on 22 October 2015).

Yet, with every new piece of the puzzle, we seem to get no closer to the truth about what exactly happened, who was responsible, and what TalkTalk is doing to fix this messy affair.

On a positive note, the police seem to be making progress in the breach investigation.

Two more suspects were arrested in recent days, The Metropolitan Police announced: a 20-year-old man at an address in Staffordshire; and a 16-year-old boy in Norwich, arrested Tuesday (3 November 2015), became the fourth suspect arrested in connection with the breach.

Two teenaged boys (ages 15 and 16) have already been arrested on suspicion of Computer Misuse Act offenses but the police haven’t said anything more about what these young men are suspected of doing, and for what purpose.

TalkTalk has continued to update the public on the breach at a dedicated webpage, and on Friday (30 October 2015), the company was finally able to explain precisely how much data was lost:

• Fewer than 21,000 unique bank account numbers and sort codes
• Fewer than 28,000 obscured credit and debit card details (unencrypted, but with the middle 6 digits removed)
• Fewer than 15,000 customer dates of birth
• Fewer than 1.2 million customer email addresses, names and phone numbers

Although bank account numbers on their own can’t be used by cybercriminals for fraud, TalkTalk says, customer names, email addresses, birth dates and phone numbers can be used for a variety of scams and phishing attacks.

TalkTalk CEO Dido Harding made yet another statement, confirming that the scale of the attack was “much smaller” than initially thought, but:

... this does not take away from how seriously we take what has happened and our investigation is still on going. On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that.

We’ll have to assume that Harding hasn’t read Naked Security writer Mark Stockley’s tongue-in-cheek but dead accurate take on what companies sound like after a data breach.

If she had, she would have known that comments about just how “seriously” she takes a security breach of this magnitude only makes it sound like it wasn’t all that serious a consideration beforehand.

With her numerous public statements, Harding has given the appearance of  transparency, but she may only be muddying the waters with contradictory and even factually incorrect statements.

For example, Harding may have been correct in saying that TalkTalk was “not legally required” to encrypt customer data under the 1998 Data Protection Act, but she also stated that “we don’t store unencrypted data on our site,” according to a thorough tick-tock of the data breach compiled by The Register.

The UK Parliament is launching an inquiry into the breach, and will likely look into making data encryption compulsory for firms holding customer data, the BBC reported.

Encryption wouldn’t have helped keep TalkTalk customers’ data safe though if the attackers prized it out with a SQL injection attack (something Harding may have been suggesting when she incorrectly said that TalkTalk was the victim of a “sequential attack“.)

TalkTalk and Harding initially suggested that the website was knocked out by a denial-of-service attack but have yet to explain how that was that connected to the data breach.

Harding also got ahead of herself when she told the BBC that she had received a ransom demand for the stolen data.

After these public relations blunders, TalkTalk has clammed up about how the attack happened, saying in its FAQ that the “attack is the subject of a criminal investigation by the police so we can’t make any further comment.”

Speaking of which, TalkTalk released a statement from a Detective Superintendent Jayne Snelgrove of the Metropolitan Police Cyber Crime Unit, who said:

TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter.

Meanwhile, TalkTalk has only just begun (as of 30 October 2015) contacting those customers whose data was accessed.

Countless companies have had similar troubles after a data breach, and getting it right is obviously not easy.

But TalkTalk seems to have done little right apart from getting law enforcement involved and offering an apology – and it has a lot of work to do to earn back customers’ trust if it wants to hang on to them.

Follow @NakedSecurity
Follow @JohnZorabedian

Image of man screaming courtesy of Shutterstock.com.