TalkTalk Breach: 17-year-old Confesses

A 17-year-old boy has admitted responsibility for hacking UK ISP TalkTalk, claiming it was an attempt to show off to friends.

The youngster, who can’t be named for legal reasons, pleaded guilty to seven charges and will be sentenced next month, according to the BBC.

“I didn't think of the consequences at the time. I was just showing off to my mates," he’s reported as telling Norwich Youth Court.

"It was a passion, not any more. I won't let it happen again. I have grown up.”

The boy will be sentenced in December under the Computer Misuse Act and, although the charges also cover attacks he launched against Manchester and Cambridge universities, it’s likely he’ll escape jail.

The cyber attack on TalkTalk in October 2015 ended up compromising personal data on over 150,000 customers, more than 15,000 of whom also had financial details stolen.

It’s believed the attacker exploited a simple SQL injection flaw in several vulnerable web pages to access the firm’s customer databases.

The hack exposed shockingly poor levels of security at a firm which should have known better. It was twice hit the same year by SQL injection attacks yet failed to patch the bug that was eventually exposed in this one.

A fix was apparently available for the flaw but TalkTalk had no idea the databases even existed, meaning software was left out of date.

The case is being seen as a cautionary tale for businesses who fail to invest in appropriate levels of cybersecurity.

TalkTalk was recently hit with a £400,000 fine for its shortcomings, and admitted earlier this year that the breach would end up costing the firm around £80 million thanks to the impact on trading, lost customers and remediation costs.

CEO Dido Harding claimed that a year on from the breach, the firm has made a “wide range of operational improvements.”

It remains to be seen what part the six other people arrested in connection with the attack played in the breach.

What’s Hot on Infosecurity Magazine?