top of page
Karl Thomas

TalkTalk cyberattack: The story so far


The extremely recent and still active TalkTalk cyberattack story has generated so much media interest, commentary and analysis that we can safely say that this is big, big news, the kind of topical story that intrigues and affects everyone.

While such incidents still appear to be infrequent – especially on such a big scale – the reality is far from the truth. Cybercrime is a growing threat and the risks are very real – headlines in the foreseeable future are likely to be populated with many references to cyberattacks, cybercrime, cyberterrorism and the like.

Over the past week, a lot has been said of this particular case, yet it’s hard to separate fact from fiction, let alone grasp what details matter most. In light of this, we’ve cut through the noise and put together an accurate summary of the key developments in what is one of the biggest security stories of 2015.

October 21st – TalkTalk experiences major cyberattack

TalkTalk picks up “unusual” activity and responds immediately by taking down its website. Although this is a routine response to protect data, it soon emerges that this is a very serious incident.

The Metropolitan Police Cyber Crime Unit (MPCCU) is immediately notified and the telecommunications company works late into the night to restore its webmail service, all the while maintaining its security against any subsequent threats.

This takes roughly 24-hours to resolve, and throughout this period, TalkTalk decides to keep the matter private. It will not be until October 23rd that most people hear about the attack.

October 22nd – TalkTalk reveals that its website has been compromised

Confident that it has taken control of the situation, TalkTalk announces that its main website has experienced a “significant and sustained cyberattack” and that an investigation is underway.

It reveals that customer data is likely to have been compromised, affecting most if not all of its four million customers. Information that may have been accessed includes names, addresses, email addresses, dates of birth, phone numbers and credit card and bank details.

Worryingly, TalkTalk explains that not all of its data is encrypted, which leads to some criticism from experts and the media. However, this is a moot point, as security expert and We Live Security contributor Graham Cluley later comments in detail:

“Data encryption is, in this case irrelevant.”

“Data encryption is, in this case irrelevant. Standard practice is to store sensitive data on an encrypted file system.

“That way, if the computer is physically stolen, the data is safe. This is great for the ‘laptop left in a train’ scenario, but a database with the details of 4,000,000 customers won’t be a laptop.

“It’s also great in a ‘burglars ram-raid the datacenter’ scenario, because although they’ve stolen the hardware, they can’t access the data. But in a scenario of ‘authorized user accessing the data’, the encrypted data will be decrypted and supplied, because the authorized user gave the correct decryption key.”

“Cybercrime is the crime of our generation.”

Dido Harding, CEO of TalkTalk, says that it is in the process of contacting all of its customers “straight away” and providing them with advice on what to do.

In an interview with the BBC later that night, she describes cybercrime “as the crime of our generation”.

October 23rd – The world begins to wake up to news of this cyberattack

As news of this incident spreads, investors respond swiftly. In a matter of hours after the London Stock Exchange opens, TalkTalk’s share value drops by 10 percent in what is seen by some as the beginning of a possibly devastating financial fallout from this cyberattack.

“For TalkTalk, the cost to its reputation is likely to be very serious,” the BBC’s technology correspondent Rory Cellan-Jones comments. “Now it is going to have to reassure its customers that its security practices are robust enough to regain their trust.”

Unwilling to be drawn into speculation, TalkTalk advises customers to remain vigilant over the coming months and to report any unusual activity to Action Fraud, the UK’s national fraud and internet crime reporting centre.

Beyond the initial statement that this was a “significant and sustained cyberattack”, it doesn’t provide any more detail, leaving many to conjecture about the severity of the data breach and the company’s approach to internet security.

Members of the public are reminded that TalkTalk has already experienced two similar attacks over the past year, with the most recent taken place in August. However, it remains adamant that its systems “were as secure as they could be”.

“It is hard for me to give you very much detail, but yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker.”

The story continues to unfold, with Ms. Harding acknowledging that a ransom has been demanded from someone who claims responsibility for the cyberattack. In an interview with the BBC she says:

“It is hard for me to give you very much detail, but yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker. All I can say is that I had personally received a contact from someone purporting – as I say I don’t know whether they are or are not – to be the hacker looking for money.”

October 24th – TalkTalk update hints at less severe attack

TalkTalk releases its first proper update. It states that the cyberattack that took place was isolated in scope – it was directed towards its website and, resultingly, its “core systems” were not affected.

It also reveals that credit card details on the website are partially-encrypted as a matter of fact, with a series of numbers obscured. What this means is that even if cybercriminals have access to a number – for example, 012345xxxxxx6789 – they remain “unusuable for financial transactions”.

“We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account,” TalkTalk elaborates.

October 26th – 15-year-old boy arrested in Northern Ireland

In the spirit of ongoing transparency, TalkTalk continues to deliver official updates, with Ms. Harding fronting a TalkTalk video.

Building on the company’s statement on the 24th that financial details were partially-encrypted, the company’s CEO now confirms that “sensitive financial information was [fully] protected”.

Bank account numbers, as well as sort codes, however, may have been acquired by the individual or group responsible for the data breach. Nevertheless, Ms. Harding goes on to say that there is very little that criminals can do with this information.

Reports begin to emerge of a possible arrest, with most news providers indicating that the suspect is a 15-year-old boy based in County Antrim, Northern Ireland. TalkTalk puts out a statement saying that an arrest has been made, but refrains from going into detail.

It transpires that the arrest was made by officers from the Police Service of Northern Ireland, who were working closely with MPCCU detectives.

“A 15-year-old boy has been arrested on suspicion of Computer Misuse Act offences.”

“A boy arrested in connection with the investigation into alleged data theft from the TalkTalk website has been bailed,” the Met states the following day.

“At [an] address [in County Antrim], a 15-year-old boy was arrested on suspicion of Computer Misuse Act offences. He was taken into custody [and later] bailed to a date in November. Enquiries continue.”

In a busy day of activity, the story takes on a political dynamic, with Ed Vaizey, minister of state for culture and the digital economy, telling the House of Commons that MPs have launched an inquiry into the TalkTalk cyberattack.

October 27th – Be safe and secure your data

“It must be [a] very distressing [time] for customers of TalkTalk,” comments David Harley, research fellow at ESET, as the sustained media attention on the attack appears to ease.

“It’s far from clear how many accounts are affected, and it’s not as though it’s the only breach the company has sustained recently.

“And now it’s become a political issue as well, which must be distressing for the company, deservedly or not. While companies that have suffered a breach sometimes tend to play down its impact, customers should certainly be following TalkTalk’s web page about the attack, which actually includes some reasonable advice to customers.”

The investigation continues.

bottom of page