Dido Harding, the chief executive of TalkTalk, has confessed her company should have done more to protect its customers' personal information, and has confirmed a seemingly related blackmail attempt.
Harding told BBC News that she had personally received an email which included a ransom demand from "an individual or a group, purporting to be the hacker" responsible for the cyber attack on the telecoms company.
More ReadingHacked TalkTalk CEO: Dead as a Dido? Nope, she refuses to quitTalkTalk downplays extent of breach damage, gives extra detailsTeenage boy bailed until November over TalkTalk incidentTalkTalk attack: Lad, 15, cuffed by UK cyber-copsLawyers harrumph at TalkTalk's 'no obligation to encrypt' blurt
She apologised to the telco's customers, stating that "over the course of the last year, we as a company invested significantly [in security, but] ... it would be wrong of me to give you [complete and unequivocal assurance] today, when the amount of data that these criminals have had access to is very large."
Harding was keen to stress that the incident now involves "a live criminal investigation".
Harding offered her thoughts on the data-flogging underworld, stating that "if you're a cybercriminal, those days of stealing data and then selling it for cash in the dark web, they're not so profitable as they used to be, and I do think that you see more cyber criminals wanting to effectively make money by extorting the companies that hold that data".
Although TalkTalk is not saying how the breach arose, several routes are possible. A new SSL-checker from High-Tech Bridge notes that the site is non-compliant with PCI DSS requirements. It is unclear at the moment whether this is an isolated misconfiguration or a symptom of what may be a complacent security culture at TalkTalk.
Communicating with The Register earlier today, Chris Oakley, a principal security consultant at Nettitude stated that the "PCI-DSS standard – which regulates the way companies store credit card details – includes some very specific requirements that are designed to ensure that this card data is always properly secured; it is unclear what the TalkTalk PCI compliance status is at the time of this week's breach".
TalkTalk hasn’t yet been able confirm whether there was strong encryption applied to cardholder data; this has got lots of tongues wagging about whether this information was suitably protected.
It’ll be a worry to the four million customers affected by this breach that they have yet to receive clarity on this point.
The CEO had previously provoked much raising of eyebrows when she attributed the theft to a DDoS attack. TalkTalk's share prices had dropped 10.7 per cent this morning following the admission of the breach. ®
The Register has created a timeline of TalkTalk's contradictory comments following on from the initial announcement of a website outage.