TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief
ISP calls in BAE Systems to probe security breach
TalkTalk continued on its quest to be painted merely as a victim of crime today, while the budget ISP's website remained offline following a huge attack on its business earlier this week.
In an interview with the Sunday Times, Harding said that her company was under no "legal obligation" to encrypt sensitive customer data, such as bank account details.
"It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information."
She added: "The bad stuff that can happen is actually because the criminal then scams you further."
TalkTalk has claimed that the data nicked by malefactors was "materially lower" than feared. However, the company was yet to reveal exactly how many of its customers were at risk of being targeted by scammers following the raid on its website.
On Saturday, TalkTalk attempted damage limitation by saying that the attack was less serious than first thought. But the company did reveal that some credit card information had been snatched.
Meanwhile, it has been claimed by security blogger Brian Krebs that the uncorroborated ransom message received by TalkTalk CEO Dido Harding included a demand for $80,000 in Bitcoin.
A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company.
The Register asked TalkTalk to tell us more about the ransom demand, which may possibly be unconnected to the latest attack on the telco's systems, given that TalkTalk suffered earlier security breaches in February and July this year.
A company spokesbeing told us: "We can't comment on the message, due to the ongoing police investigation."
El Reg also wanted to know how soon TalkTalk's website might return to life.
"TalkTalk and BAE Systems are working together to investigate the website breach. BAE's cyber-specialists are currently analysing vast quantities of data to help establish how the breach happened and what information was stolen," we were told.
The spokesbeing added: "Hoping to get the site up and running as quickly as possible, but obviously we will not do so until we are confident that all aspects are as secure as possible." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust