The head of TalkTalk has dismissed claims it hasn't done enough to protect the data of its users, in the wake of a
major breach potentially affecting 4 million customers. In an interview over the weekend, Dido Harding claimed the company was not under any "legal obligation" to encrypt customer data, including bank account details and other sensitive information, and that it had done enough to try and protect their customers under United Kingdom law.
Speaking to
the Sunday Times, Harding revealed [Our data] wasn't encrypted, nor are you legally required to encrypt it. We have complied with all our legal implications in terms of storing of financial information."
Ars Technica notes that the relevant section within the UK Data Protection Act 1998
states "Appropriate technical and organizational measures should be taken" to prevent unauthorized usage of the data, but does not mandate the encryption of data specifically.
Since the attack, and the subsequent investigation launch by the Metropolitan Police cyber crime unit, TalkTalk has hired BAE Systems to help shore up its security and investigate the breach. It is now claimed that the attackers only got as far as the TalkTalk website and not more sensitive corporate systems, with only partial credit card numbers held on the site. Even so, the full extent of the breach has yet to be revealed by the company.
As for how much the data could be worth, more details about a ransom demand sent to Harding may have been revealed.
Sources of
Brian Krebs close to the investigation suggest the ransom amount was £80,000 (approximately $122,000) in Bitcoin, with copies of the tables from the user database provided as evidence the supposed attacker was involved in the breach. A number of hacking groups have claimed to be behind the attack, with some also promising to sell the data on a "deep web black market."
Affected TalkTalk customers are being offered 12 months of free credit monitoring.