Highly sensitive customer data held on company websites is so vulnerable to attack that even a toddler can be shown how to get their mitts on it, the Information Commissioner has warned MPs.
Appearing in front of the Commons Culture, Media & Sport Committee inquiry into last year’s TalkTalk hack, Christopher Graham said: “You can get on the Internet lots of ‘how to do it’ videos including one… which shows a cyber expert showing his three-year-old child how to break into a company website.
“Companies ought to be as canny as the clever people out there who are probably breaking the Computer Misuse Act and a few other bits of legislation. The threat from three-year-old children should not be taken lightly.”
While it may seem fanciful that an army of toddlers is out there plotting to wreak havoc, Graham’s warning proves just how vulnerable customer data has become and flags up the urgent need for businesses to continually review their cyber security arrangements.
ICO group manager Simon Rice told the inquiry: “You can go onto YouTube, you can go into your favourite online search engine and type in ‘how do I do an SQL injection attack?’ and you will get a range of tutorials, both paper documents and videos, to demonstrate how to do it. There are a lot of automated tools, that essentially a three-year-old can press the button.”
Graham confirmed that the regulator was carrying out six investigations into TalkTalk, three of which were “major”, including the 2015 incident, and two earlier incidents, one involving TalkTalk in its own right, and the other concerning Carphone Warehouse.
He refused to discuss details for fear of “compromising the investigations”. However, he urged other firms to make sure they had precautions in place to ensure they were not victims of similar attacks.
“Any other company with half a brain should be checking their systems now to make sure that they don’t land up in the same situation,” Graham said.
Earlier this week, it was revealed that police have arrested three staff working at an Indian call centre which handles TalkTalk’s CRM account over customer data theft.
Three held at TalkTalk call centre for data theft
Asda accused of ignoring website flaw for 2 years
Firms must wake up to EU data breach rules – or else
Data security spend never high enough, MPs told
5m customers hit as kids’ toy firm Vtech is hacked
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack
Storm clouds gather over Experian
Breach fuels call to fire Experian boss