Weekly podcast: TalkTalk teen, biggest breach of the year, Tesco Bank again. Let’s do the list…

This week, we discuss the 17-year-old who admitted to last year’s TalkTalk cyber attack, the compromise of more than 400 million ‘adult’ accounts, further news about the Tesco Bank breach, and a $1 million fine for Adobe Systems.

Hello and welcome to the IT Governance podcast for Friday, 18 November. Here are this week’s stories.

A 17-year-old Norwich boy has admitted carrying out the October 2015 cyber attack that cost TalkTalk an estimated £42 million – and a record £400,000 fine from the Information Commissioner’s Office.

According to the BBC: “The charges against the boy also included attacks on other websites, including the universities of Manchester and Cambridge.”

The teenager, who can’t be named for legal reasons, told Norwich Youth Court: “I didn’t think of the consequences at the time. I was just showing off to my mates. It was a passion, not any more. I won’t let it happen again. I have grown up.”

While “showing off”, the boy accessed the personal data of 156,959 TalkTalk customers, including names, dates of birth, addresses, phone numbers and email addresses, as well as more than 15,000 customers’ bank details. Former Information Commissioner Christopher Graham called the breach a “car crash” earlier this year.

TalkTalk’s interim results for the six months to September 2016 – released this week – show that the firm has recovered well in the last year, with a surge in operating profits to £60 million compared with £25 million in the same period last year.

The boy will be sentenced under the Computer Misuse Act on 13 December.

The TalkTalk breach is dwarfed by the biggest hack of the year, though. LeakedSource reports that a data breach at FriendFinder Networks – the popular purveyor of pornography and ‘casual dating’ services – has exposed 412,214,295 accounts, including 15,766,727 purportedly ‘deleted’ accounts that weren’t actually removed from the company databases.

Moreover, thanks to poor password security practices – passwords were stored in plaintext or were hashed with the insecure SHA-1 algorithm – “99.0% of all available passwords are now visible in plaintext.”

The attack seems to have occurred last month, at around the time CSO Online reported that Adult FriendFinder had a local file intrusion vulnerability. FriendFinder Networks vice president and senior counsel Diana Ballou said: ”FriendFinder takes the security of its customer information seriously and will provide further updates as our investigation continues.”

You’ll remember from last week’s podcast that 9,000 Tesco Bank customers lost £2.5 million from their current accounts following what the bank called “a highly sophisticated attack” on its systems. According to the Financial Times, however, Tesco Bank “ignored warning signs that its vulnerable software was being targeted by cyber criminals for months before thousands of its customers had money stolen”. Meanwhile, the Sunday Times reports that the thieves have already been on a spending spree to launder the stolen spondulicks, buying “thousands of low-priced goods” with contactless payment accounts on smartphones in the US and Brazil. Tesco Bank told the BBC that it is unable to comment while a criminal investigation is being carried out.

Adobe Systems has been ordered to pay a $1 million fine in 15 American states for a 2013 data breach that saw some 38 million users’ information compromised. Shall we do the list? Let’s do the list. Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania and Vermont all allege “that Adobe did not use reasonable security measures to protect its systems from an attack or have proper measures in place to immediately detect an attack.” Adobe has already paid $1.2 million in California to end a class action over the same issue. The Register reports that Adobe has “promised the 15 States it will tighten things up on the security practice and policy front.” North Carolina Attorney General Roy Cooper said: “Criminals and hackers are after our personal financial data and businesses and government must do more to protect it.” And Massachusetts Attorney General Maura Healey said: “Consumers who entrust a company with their personal data should have that trust respected.”

Well, that’s it for this week. The usual plea: if you enjoy these podcasts, please share them using the hashtag #itgpodcast (and thank you to @TimMusson for being the first to do so), and, until next time, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out our book of the month, Managing Information Security Breaches – Studies from real life by Michael Krausz. Full of useful information about real-life incidents and breaches, this thought-provoking guide explains how to get your risk profile right, and how data breaches can be avoided and mitigated. Head over to our webshop to find out more – and save 10% if you buy by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.