The hack of telecoms firm TalkTalk dominated the headlines in the United Kingdom last week as the company struggled to respond to accusations that it had dropped the ball (it was the third data breach impacting TalkTalk customers in the last 12 months) and gave customers some poor advice.
I’m not sure if upset TalkTalk customers and rattled investors were relieved to hear that whoever most recently hacked the firm might not have been “Islamic cyber jihadis” after all, or concerned that such a well-known company could have been hacked by a 15-year-old teenager from Northern Ireland using a rudimentary SQL injection attack.
Regardless, the police have now followed up Monday’s raid in County Antrim with a second arrest related to the TalkTalk data breach, this time of a 16-year-old boy at an address in Feltham.
Here is part of what the Metropolitan Police’s press release says:
On Thursday, 29 October, detectives from the Metropolitan Police Cyber Crime Unit (MPCCU) executed a search warrant at an address in Feltham. At the address, a 16-year-old boy was arrested on suspicion of Computer Misuse Act offences. He has now been bailed – we await confirmation of the bail date.
A search of the residential address in Feltham has been completed. Officers have also searched a residential address in Liverpool.
Of course, I have no way of knowing if these teenagers were involved in the hack, and we have to allow proper legal processes to take their course.
But, as I explain in the video I made at the time of the first arrest, any business which has not protected its website against SQL injection attacks probably needs to go back to the classroom itself.
If you would like me to make more videos, please consider subscribing to my YouTube channel.
In light of these recent developments, maybe TalkTalk would be wise to hire some teenagers to check out its website security?
'In light of these recent developments, maybe TalkTalk would be wise to hire some teenagers to check out its website security?'
Unless of course they are script kiddies, in which case maybe not. But if these kids do know it, maybe they should indeed be asked. One hopes being in trouble with the law will turn them towards more legal methods. Whether TalkTalk would be their first employer is another matter entirely, I guess. I suppose we'll have to wait until TalkTalk speaks about the matter – if they do (which I suspect they won't).
I was joshing obviously, but even teenage script kiddies know what a SQL injection attack is, and how important it is for website owners to protect against them.