back to article Third suspect arrested over TalkTalk breach

A 20-year-old Staffordshire man has become the third person to be arrested in connection with the mammoth hack of British telco TalkTalk. The unnamed man has been released on bail until March after he was arrested under the country's Computer Misuse Act. He was nabbed in connection with a hack on budget telco lifting 1.2 …

  1. Dan 55 Silver badge
    Stop

    Wrong and a disservice to readers

    Customers wanting to leave the popped telco will need to have had money stolen on or after 21 October as a result of the hack, and have contacted the fraud department.

    They've not followed the DPA or the Supply of Goods or Services Act, but statutory rights aside, they've even broken their own T&Cs.

    http://www.moneysavingexpert.com/news/broadband/2015/10/talktalk-website-hacked-what-you-need-to-do-now

    http://www.thisismoney.co.uk/money/news/article-3292565/The-small-print-says-quit-TalkTalk-Hacked-telecoms-giant-refusing-let-customers-leave-without-paying-fees-ve-loophole.html

    1. Mark 85

      Re: Wrong and a disservice to readers

      And I have to wonder about their statement of "not accepting any liability" for this? They really do seem to be sleazy.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wrong and a disservice to readers

      "They've not followed the DPA or the Supply of Goods or Services Act, but statutory rights aside, they've even broken their own T&Cs."

      Let's take a step back here. There's an elephant in the room and that is the lock in time of the contracts.

      It makes the contracts very one-sided indeed.

      Should anyone be allowed to lock you in for a year in response to the click of a mouse?

      Common sense says not.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong and a disservice to readers

        "Should anyone be allowed to lock you in for a year in response to the click of a mouse?"

        When they have broken their own T&Cs, have clearly lied to customers on occasion (there's one statement from a few months ago that starts "We take customer protection seriously" or words to that effect, which is a bit of a joke), and have also obviously breached the Supply of Goods and Services Act, arguably the Data Protection Act (noticeable that the ICO has not commented on this in any significant way) ... should such an unfair lock-in be allowed to stand, or is it an unfair contract? Both matter, but if they've breached it anyway ....

      2. Gordon 10

        Re: Wrong and a disservice to readers

        .Should anyone be allowed to lock you in for a year in response to the click of a mouse?

        There is a 14 day cooling off period for any online purchase apart from digital downloads - so this is already covered in the consumer rights act.

  2. John Brown (no body) Silver badge
    Facepalm

    He is said to be part of the trio

    Well, duh! If he wasn't "said to be part of the trio", it would only be a duo

  3. Phil Kingston

    "TalkTalk says it is not accepting liability for other possible expenses customers may have to bear as a result of the breach."

    Wait, so if a victim has their bank account raided, gets overdrawn and the bank levies an overdrawn fee (which they like to do if you even look at them funny these days), then TT say they're not liable? I can't see that stance lasting too long once they're pressed.

    1. vagabondo

      how?

      Could you please explain how a bank account could be raided using the victim,s name,e-mail address, partial credit card details etc?

      I can understand that a direct debit might be set up using the victim's bank account name and number. However the bank that receives the money bears the onus of proving the transaction was not fraudulent,not the victim.

      Most of the claimed consequential losses that I have read of are the result of phishing e-mail or telephone cons. They rely on publicly available directory data and perhaps an e-mail header. There is no requirement for stolen data even if that would make the fraud logistics a little simpler.

      I am in no way supporting TalkTalk. They seem to outsource customer support and invoicing systems on the basis of price,not competence. The real problem is the general attitude among large companies who actively sacrifice privacy and security in the name of "user-friendliness" and glitz. TalkTalk,like many large corporations insist that their customers use security-weak mail servers and web browsers in order to to business with them. There is no reason for them to send mail from a server that does not identify itself correctly (PTR records and HELO responses), or for placing code from third-party domains on their web-sites, or using cross-site scripting for payment processing.

      This is all part of a culture of technically incompetent senior decision makers. Just try to complain to a large bank or utility company. The standard response is "We are a large organisation, that pays our experts an lot of money. Therefore we must know more about these things than you, even if you are an engineer".

      1. Anonymous Coward
        Anonymous Coward

        Re: how?

        "I can understand that a direct debit might be set up using the victim's bank account name and number. However the bank that receives the money bears the onus of proving the transaction was not fraudulent,not the victim." If Talk Talk facilitates the fraud by providing the info, they're at best negligent and should be liable for any costs incurred - including the time taken by the consumer, any overdraft fees incurred, etc.

        Simple thing: If we (a Talk Talk customer here) genuinely have nothing to worry about, they can prove that and reassure us all in one easy step: take the list of information that may have been leaked, and publish that same information for each member of their board. If we have nothing to worry about, then they having nothing to fear from that publication either.

        1. vagabondo

          Re: how?

          I am in no way condoning the blatant disregard for the safety of their customer's data by TalkTalk or any one else. I think that severe punishment has been long overdue. Most large organisations, including banks and government departments just don't care. The directors deserve to be barred, as well as the companies facing punitive financial damages. This corporate behaviour is wilful negligence.

          However given the information presented in the article, I do not understand how this data loss is sufficient for a victim to have their their "bank account raided", and would appreciate an explanation of how it could be done. Hence the title.

  4. Turtle

    We've heard that before...

    "TalkTalk says it is not accepting liability for other possible expenses customers may have to bear as a result of the breach because fuck you."

    We've heard that kind of reasoning before.

    1. This post has been deleted by its author

  5. Elmer Phud

    It seems that whatever happens the cops have got some folks to pin it all on -- now they have to prove they three did the actual break in and not just got bulge in the groin from the DDoS.

    But why isn't the head of TT charged for being a lying git?

  6. Anonymous Coward
    Anonymous Coward

    Are these the *real* perps ?

    The CMA is a generic charge, and I have my suspicions these are just 3 dorks who couldn't resist seeing if that darknet data was real ......

    1. nijam Silver badge

      Re: Are these the *real* perps ?

      > I have my suspicions these are just 3 dorks who...

      ...irritated a policeman once?

    2. Alan Brown Silver badge

      Re: Are these the *real* perps ?

      Or simply just poked at the SQL injection to see if Bobby Tables was alive.

  7. LucreLout

    Well done, well done...

    ... It only took three arrests before TalkTalk found a l33t haxxor who is actually older than the exploit used to own them.

    Serious TalkTalk, your entire C suite and all of your board need to start acknowledging the limits of their "talents" and step back to more appropriate roles in more appropriate organisations. Do you want fries with that?

  8. Spasticus Autisticus
    Headmaster

    Everybody out!

    All ISPs need to learn from TalkTalk's mistakes; getting hacked in the way they did, their response via Baroness Harding of Shit Creek, etc. To teach TT and other ISPs a lesson we need to encourage everyone we know that is a TT customer to move suppliers to someone else - anyone else but preferably a company with UK tech support - only when TT collapse as a company or are severely financially hurt will anyone take much notice. I have several customers with TalkTalk, I hope many of them will move away, it'll be just a pin prick to TT but if enough do it......

    Power to the people!

    'Foxy'

    1. Anonymous Coward
      Anonymous Coward

      @Spasticus Autisticus Re: Everybody out!

      I once put "Lord Upminster" on the record player at a party, and it cleared the room. Quickly.

      1. Spasticus Autisticus

        Re: @Spasticus Autisticus Everybody out!

        Shame, wrong people at the party. (I won't upvote you because I don't 'like' that it cleared the room, nor downvote you because I like your comment.

        I'm from Essex - in case you couldn't tell.

  9. Known Hero

    back to the story

    Are they just randomly arresting people around the country and then releasing them, so that they can be seen to be doing something ?

  10. Flywheel

    Stitched up?

    Anyone get the nagging feeling that three alleged perps may have been stitched up and the real culprits are perhaps a less-than-reputable government that Britain doesn't want to upset?

    1. jinx3y

      Re: Stitched up?

      You mean china?

  11. Alan Brown Silver badge

    They're utterly desperate

    "TalkTalk says it is not accepting liability for other possible expenses customers may have to bear as a result of the breach"

    They can refuse to accept liability all they want. There are already legal precedents in place and those affected can claim for distress as well as actual monetary losses.

    At this point they must be utterly cacking themselves.

    Is that a class action suit I smell on the morning breeze?

  12. Zap

    Let a COURT deicde

    They are not accepting liability?

    How bloody rich is that

    CLASS ACTION TALK TALK HACk

    Let a Judge decide

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like