VIDEO: TalkTalk hack. 15-year-old boy arrested

Graham Cluley
Graham Cluley
@[email protected]
TalkTalk hack. 15-year-old boy arrested | Graham Cluley

Police officers in Northern Ireland, working with detectives from the Metropolitan Police Cyber Crime Unit, have arrested a 15-year-old boy in connection with the latest internet attack on British telecom provider TalkTalk.

According to a press release issued by the police, the boy was arrested in County Antrim on suspicion of committing offences under the Computer Misuse Act and his home searched.

He has been taken into custody for interviewing.

Sign up to our free newsletter.
Security news, advice, and tips.

As you may recall, it is believed that TalkTalk suffered a denial-of-service and SQL injection attack on October 22nd, and as the beleaguered firm attempted to reassure its four million customers that it could be trusted many commentators pointed out that it was the third time that it had suffered a damaging data loss in less than a year.

Obviously there is no way for me to know if the teenager was responsible for the hack, or has inside information on the attack, but I suspect many will view his age as somehow an indicator that TalkTalk’s hack was even more shameful than previously considered.

Whether that’s fair or not, I’m not sure.

But I do know that both DDoS and SQL injection attacks are relatively unsophisticated, and don’t require years of experience to pull off. In order to be at risk from SQL injection attacks, for instance, all you need is a website that has been built in an amateurish fashion that has not correctly sanitised user input.

Anyone building a business website who has not learnt about how to protect against SQL injection attacks probably needs to go back to the classroom themselves.

You can see what I have to say about the arrest, and advice for other companies running online businesses, in my latest YouTube video.

If you would like me to make more videos, please consider subscribing to my YouTube channel.


The Northern Ireland police have now released the 15-year-old male on bail.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

12 comments on “VIDEO: TalkTalk hack. 15-year-old boy arrested”

  1. joe Connell

    I realise the impossibility of anyone publishing a list of similar companies who hold client data in an unencrypted format, but is it known that there are others who operate thus at a national level?

  2. AnonTA

    It's not impossible that he had no connection at all with either the data theft or DDoS attack, but simply phoned in a ransom demand as a prank or opportunist attempt to cash in. We just don't know yet.

    1. Graham CluleyGraham Cluley · in reply to AnonTA

      Yes, that's definitely a possibility – and, of course, it's possible that he's not connected at all! We should be careful not to jump to conclusions and allow the professionals to continue their investigation.

  3. TonyP

    So, how do I protect my web site against SQL injection? Answers in singl syllables please

    1. Graham CluleyGraham Cluley · in reply to TonyP

      Good video here by Tom Scott:

      Alternatively, a cheat sheet for preventing SQL injection here:

      I'm afraid you may need to upgrade your acceptable syllable threshold a little.

      Note that it is not the case that all websites are vulnerable to SQL injection attacks. Rather depends on what you're doing with your website.

    2. Andy Lee Robinson · in reply to TonyP

      On the server test that integers are supposed to be integers and in range, and strings are valid strings and acceptable length.
      Use prepared statements. Anything that queries or writes to the database must be escape quotes, ie, for mysql use mysql_real_escape_string() on every variable just before querying.
      This also goes for complex queries that are assembled beforehand – once assembled, variable placeholders can be replaced with their protected versions provided by mysql_real_escape_string().
      If applied globally, this should make sql injections impossible.

    3. furriephillips · in reply to TonyP

      Hi TonyP,

      Google Is Your Friend (for questions like this)…

      I googled on your behalf and would recommend this: as an excellent starting point, as it explains it in a really friendly way.

      This also looks like a good read



  4. Rob Thornton

    Obviously it is easy for the press to speculate on this, But on that subject it is amazing how "script Kiddies" can pick up on a lot of the current attacks and are primed to use a set of simple tools that will take out a lot of ill prepared websites in fairly sophisticated ways when just exploring the "dark web". My main fear is that it would be very easy to have a son (or daughter) tricked into this. Because the tools they download are themselves traps and have backdoors that could easily be hijacked to make the attack look like it came from their home IP address, with some unsuspecting parent caught up in the mess with their ID firmly connected to the ISP. I always warn parents that they should be inquisitive and be fully aware what their connection is being used for. Unfortunately TV/Film continue to glamorise hacking when people miss the obvious. We hear about most of them because eventually they get caught and the consequences… undefinable.

  5. Tony Levene

    TalkTalk will never get my vote as a consumer-friendly organisation. And I am not surprised to see it in the frame now.
    But some of the hysteria! We have even had media stories of people who handed money over to cold callers days before the data breach!
    I was phoned yesterday by a muppet claiming that my computer was running badly (the usual stuff).
    It was obvious that he had only guessed that I was with TalkTalk as he then asked the name of my provider. And my phone number, even though he had called me.
    I engaged with "Alan Thomas" who then told me his real name. He was somewhat annoyed when I said he was calling from India (due to the usual signs such as phony names, noise and accent). He proudly told me he was phoning from Pakistan!

    PS. Graham, why do you have US spelling here?

    1. Graham CluleyGraham Cluley · in reply to Tony Levene

      Which word is spelt in Americaine?

  6. furriephillips

    I'd like to give your video a thumbs-up (especially for featuring my favourite SQL injection cartoon), but am I going crazy, or is the YouTube "Thumbs-up" button unavailable in your embedded video or impossible to get at, without viewing it on YouTube? I feel old, when it's not exactly made easy!

    1. Graham CluleyGraham Cluley · in reply to furriephillips

      Glad you enjoyed the video.

      And no, you're not old. Or at least, I'm old as well… because I can't work out how I'm supposed to "Thumbs Up" the video without visiting the YouTube site too.

      Is it possible this is just how YouTube is these days? I visited a couple of other sites with YouTube videos and they seemed to be behaving the same way…

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.