15-Year-Old Boy Arrested In Connection With TalkTalk Hack (bbc.co.uk)

← Back to Stories (view on slashdot.org)

15-Year-Old Boy Arrested In Connection With TalkTalk Hack (bbc.co.uk)

Posted by Soulskill on Monday October 26, 2015 @08:53AM from the fish-in-a-barrel dept.

Phil Ronan writes: Scotland Yard says police have arrested a 15-year-old boy in connection with the recent hack on UK phone and internet provider TalkTalk. Authorities are in the process of questioning him and conducting a search of the house he lives in. TalkTalk now says the breach was smaller than it thought, and full credit card details are not at risk. "Dido Harding said any credit card details taken would have been partial and the information may not have been enough to withdraw money 'on its own.' Card details accessed were incomplete — with many numbers appearing as an x — and 'not usable' for financial transactions, it added." In other news, businesses leaders are calling on the government to take "urgent action" against cyber-criminals, because somehow the security of their online systems is the government's responsibility, not theirs.

50 of 100 comments (clear)

Min score:

Reason:

Sort:

That editorial summary tho by Sowelu · 2015-10-26 08:57 · Score: 5, Insightful

I mean, of course if your store is getting broken into a lot, you should buy better locks. Doesn't mean that if there's a crime spree and a rash of of robberies you shouldn't call on the government to investigate or patrol more.
1. Re:That editorial summary tho by mattyj · 2015-10-26 09:10 · Score: 2
  
  So you're okay with people breaking into your home, as long as they don't take anything of value?
  How about criminal trespass, and yes, thievery. Doesn't matter if someone doesn't end up with 'anything usable', they possess property/data that doesn't belong to them.
2. Re:That editorial summary tho by mattyj · 2015-10-26 09:15 · Score: 1
  
  I thought that was a weird comment, too. There have only been a few times in history (American) where private companies were the ones also enforcing the laws.
  The "urgent action" in the story is the suggestion that UK law enforcement take data theft as seriously as physical theft. Meaning, investigate and prosecute. Not sure why anyone would be against that.
3. Re:That editorial summary tho by stephanruby · 2015-10-26 10:05 · Score: 1
  
  That editorial summary tried to blame the business, but it did a piss poor job of it. Had the editor actually read the article, then they would have gotten great ammo from it.
  The fact is. That business didn't notify any of the affected customers when it found out about the breach. And two, there seems to be anecdotal evidence that this information is out there, even if it's incomplete, and that scammers have been using the little bit of information they do have to get the rest through social engineering.
  In other words, there seems to be no incentive in the UK to disclose security breaches of financial details to its affected customers.
4. Re:That editorial summary tho by cheater512 · 2015-10-26 11:41 · Score: 1
  
  It's their implication that they were innocent victims, when in reality they left their safe unlocked, and the door open overnight.
5. Re: That editorial summary tho by theCzechGuy · 2015-10-26 11:44 · Score: 1
  
  They are already taking it more seriously than physical theft. What was the last time you've been robbed? What did the police do about it?
6. Re:That editorial summary tho by BasilBrush · 2015-10-26 11:57 · Score: 1
  
  No it's not their implication at all. They have held their hands up to not knowing which parts of the data was encrypted and which wasn't.
  It's other businesses that have called for more government (i.e. police) action on cyber crime. And quite rightly too.
7. Re: That editorial summary tho by BasilBrush · 2015-10-26 11:59 · Score: 1
  
  When for good or bad, the police reaction is proportional to the scale and severity of the crime. A burglary affects one household. This potentially affected hundreds of thousands of people.
8. Re:That editorial summary tho by cheater512 · 2015-10-26 12:19 · Score: 1
  
  What's wrong with current enforcement? They usually do catch the guys (Lulzsec, this case, etc...) which is much more than they can say about real world break ins.
9. Re: That editorial summary tho by corychristison · 2015-10-26 12:25 · Score: 1
  
  I once had someone go digging through my car. Nothing was damaged and the only thing missing was a broken ipod touch.
  Not exactly worried about it. Didn't file a police report because nothing of value was lost.
  Personally i always am ssure to lock the vehicle (my wife would say obsessive). It is entirely possible my toddler had gotten ahold of the key fob and unintentionally unlocked the car. Shit happens. I'm just more careful about where I put my keys and the kids are older now and know not to push the buttons on the key fob.
10. Re:That editorial summary tho by KGIII · 2015-10-26 19:05 · Score: 1
  
  No, they possess a copy. *nods* We, Slashdot, are all about information being free until it's our information. We didn't take anything when we made a copy. They still have use of that data, after all.
  Yes, tongue-in-cheek. I do, actually, support copyright and patents but I feel the system needs to be reformed to reflect a more modern society and the speed that technology now changes.
  
  --
  "So long and thanks for all the fish."
11. Re:That editorial summary tho by KGIII · 2015-10-26 19:32 · Score: 1
  
  Per your enforcing the law... Hmm... I guess that depends on how you look at it? I'm probably reaching a bit here so I'll try to be brief - I don't have much of a point, anyhow.
  My business had been broken into, the alarm company called, the kid was in custody. After letting it get partway through the court system we opted to drop charges and were able to set up a deal with the judge. He had to work to pay off the money to cover the repairs. We'd convinced our cleaning company to take him on to work at our office (he eventually earned enough trust to work elsewhere). He had to stay out of trouble for a year and stay in school, with passing grades and acceptable behavior reports - while working 20 hours per week. I'd have just let him work at our place doing the cleaning and outside stuff had the cleaning company not taken him on to do other work. In return, at the end of the year, his case was round-filed which included expunging the arrest record.
  Which was what I'd decided I wanted. (By the way, only 1/4 of his weekly pay was deducted to pay for the damages, damned kid.)
  So, in a way, yes... That was us enforcing the law - but, as I said, I'm kind of reaching here. We worked within the legal framework (including time off to see the DA and attend two of the initial court appearances and the last one where the case was dismissed).
  For the curious, it turned out okay. I'm not completely certain but I'm told that he's now got his own cleaning company, he goes in at night and does office cleaning as well as industrial floors - that type of stuff. I guess he's got a bunch of people working for him and many are young, underprivileged, and ex-cons. He also (I'm pretty sure) was planning on (or doing something) about giving kids a way to stay out of trouble - like a Boys Club type of thing. I don't really know. I've not been in the area for eight years and this was more like fifteen years ago.
  Now, there was still a judge and a representative of the State involved but we decided the punishment, we enforced the (as in I, personally, got the letters from his teacher and his report cards) stipulations - including the time worked, and we decided to not move the prosecution forward at the end of the year (which he passed with flying colors). We were not the law but we had the force of law behind us and quite a bit of control (or influence) on how that process worked.
  This was Winston/Salem NC and I'm not sure how the court system would react today but it wasn't that long ago, really. The kid did seem interested in getting into coding and was working with one of the devs to see if he could make a traffic simulation game (we had the best MFing traffic sim "game" in the world, thank you very much - I might be biased) but nothing ever came of it. He liked the outcome, he liked the work, but he didn't seem quite able to grasp the process so much and we had plenty of staff so there was always help for him - he actually would come in 'off hours' after school quite a bit.
  Anyhow, nice family but poor and a lot of kids. The parents were always out of the house, working their asses off, and we all met and whatnot. My thinking was that the courts wouldn't have actually done anything to him except punish him and punishment wasn't really what I felt was required. Well, not solely required. He was punished, he worked to fix the damage. Beyond that, I figured, he needed something to keep his ass busy and some rewards for his effort to learn to respect himself.
  Which ties back in... It was my ideology (technically, not just mine as I'd discussed it with a number of those who worked with me) that influenced the court's decision as well as the State's decision to not prosecute but to allow a certain set of criteria to be met. I'm not sure if that counts as enforcement but it is pretty close. True, it's not total but it's not unprecedented - I guess that's my line of thinking and my point. For certain periods of time, we had data on-site that was the property of others and part of our contract was to
  
  --
  "So long and thanks for all the fish."
12. Re:That editorial summary tho by KGIII · 2015-10-26 19:49 · Score: 1
  
  Hmm... Not sure if serious?
  Very seldom does the "government" stop crime. They investigate it and punish it, after the fact. They don't usually prevent anything.
  This may not be a popular thing to say but, as I think about this - I'm okay with that. The methods they'd need to use to stop crime would be too harsh, I think. I'd assume they'd be only able to accomplish this be removing freedoms and restricting rights. I am kind of happy that the government isn't really meant to (even if they think they are) stop crime. Crime sucks but they should only be in the business, generally speaking, of prosecuting those who have committed crimes - that should be more than enough, usually, to keep them busy.
  I've never given it much though but, on first blush, I'm okay with the government not being in the business of stopping crime. You don't expect the government to provide you with locks on your door, would you? (Maybe you would - your post indicates you just might be. I am not, I don't think?) You don't want them stopping you to see where you're going and what business you have at your destination, do you? (Again, you might.) You don't want them collecting and inspecting your data to see if, just maybe, you're committing a crime, do you? (Yet again, you might.)
  No... I don't think I want the government to stop criminals (for the most part). Sure, where there is an obvious, known, and present threat then reasons takes over and it'd be nice if they stepped in to protect the citizens. However, I'm armed because I don't expect the cops to save me if I'm being shot at (if I'm just being mugged then I'm just going to give them my wallet).
  Yeah, the more I think about it - they're kind of right -- in my opinion. I don't want the government trying to stop the criminals, generally speaking. I want them to prosecute those who break the law. The only way they can prevent crime is to reduce freedoms and rights. I'm open to suggestions but I'm not sure how it's the government's responsibility to prevent crime nor do I really think it should be their responsibility (regardless of what they think). That's how you end up with the NSA, Homeland Security, or the likes.
  Hmm... This needs reasoning and logic applied. :/ Note to self: Ponder this.
  
  --
  "So long and thanks for all the fish."
13. Re: That editorial summary tho by Maritz · 2015-10-26 21:07 · Score: 1
  
  Tony Slattery did that. The proof to Goldbach's conjecture was on that iPod touch.
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
14. Re:That editorial summary tho by Maritz · 2015-10-26 21:10 · Score: 2
  
  Everything You Were Told About Capital Letters Is a LIE
  
  --
  I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
15. Re: That editorial summary tho by JackieBrown · 2015-10-27 00:15 · Score: 2
  
  I imagine if they didn't file a report and this happened again but information was stolen, it would look like they had been covering up a history of negligence - even if they did take steps to beef up their security.
  Also, not reporting it could make it seem they were not even aware the hack happened which could embolden people to keep trying.
16. Re:That editorial summary tho by Coren22 · 2015-10-27 02:14 · Score: 1
  
  Try this one cool trick to better grammar, the teachers hate it!
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
17. Re: That editorial summary tho by Coren22 · 2015-10-27 02:15 · Score: 1
  
  When I had a house robbery, the police took prints, our report, etc, then called me a month later to ask if I found the thief...I thought that was hilarious, as I had no access to the crime lab.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
18. Re:That editorial summary tho by poofmeisterp · 2015-10-27 02:38 · Score: 1
  
  Everything You Were Told About Capital Letters Is a LIE
  He's Coding His sTatement. It's just Bad fOrmatting of the vAriable nAmes. _dUuhh.
19. Re: That editorial summary tho by poofmeisterp · 2015-10-27 02:48 · Score: 1
  
  If a 15yr old is responsible, believe me, they have a lot to worry about. Like why are they even in business if some kid wet behind the ears can troll their servers. Fuck em I say. That goes for all entities hacked now or ever.
  The kid was clearly a terrorist or would have not accomplished such nearly-impossible feat. The business needs protection from *terrorists*! *cough*
20. Re:That editorial summary tho by poofmeisterp · 2015-10-27 03:00 · Score: 1
  
  Hmm... Not sure if serious?
  It was clearly just a "Hey, Biff, what's that?!?!" ploy. Read: "Don't focus on our security; it's clearly them there terr'rist kids doing the impossible, like getting through our impenetrable security measures. We need more gub'mint efforts to stop this hacking of our society as a whole and we'll help however we can!"
  Truth: "Uh, we suck at security, even financial. We understand if no one trusts us with their financial or private info anymore. Granted, the loss wasn't that bad, but it proves that we can be lazy enough in our efforts to maintain complete security (like we said in our Agreement with you that we WOULD). Pissing off is in our future plan because we're awesome with growing and planning. [We] digress."
  P.S. That wasn't my comment you replied to; just throwing in my useless $0.0001 to state the obvious (from my Asperger's mind).
21. Re:That editorial summary tho by poofmeisterp · 2015-10-27 03:04 · Score: 1
  
  This is what happens when you teach computer science ti kids. They have the mental acuity to figure out how to do terrible things, but not the maturity or moral conscience to know better.
  The political agenda aimed at creating more software developers in order to pull salaries down will just create a new Internet crime wave.
  Just watch.
  That is such a wise view of Human repetition of mistakes that it can't possibly happen! We never make the same stupid mistakes again and again and ag.....
22. Re:That editorial summary tho by BasilBrush · 2015-10-27 04:27 · Score: 1
  
  Haven't seen the details on how they caught this one yet, but he did try to blackmail them. Always difficult to come up with a scheme to collect blackmail money and negotiate it without giving yourself away.
  Usually is certainly not the case. Internet fraud is a steady and profitable business for many, many people, with almost no chance of getting caught.
23. Re: That editorial summary tho by Tijaska · 2015-10-27 18:31 · Score: 1
  
  The felon was a 15 year old. When the police start arresting 5-year-olds for hacking, we have to ask what is it that's broken? The kids? Or companies that dash online without the first clue of how to protect their assets?
Also in the news by Opportunist · 2015-10-26 09:15 · Score: 4, Informative

Consumers called for "urgent action" to slap corporations with crippling fines who are collecting all sorts of data of their customers but are too incompetent to defend it against 15 year old script kiddies.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Also in the news by gweihir · 2015-10-26 10:18 · Score: 1
  
  Couldn't agree more. Pathetic-level security must have severe consequences for both the company and the company officials responsible.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:Also in the news by Opportunist · 2015-10-26 11:28 · Score: 1
  
  Ok. Please tell me how to buy anything online without handing out at the very least name, address and credit card number (and that's really the bare minimum required to get anything delivered). Depending on what I want to buy other personal information like shoe size, sexual preferences or topics of interest will be available to the merchant.
  And what does a bank have to do with this AT ALL? You may have an argument concerning the credit card, but everything else is necessarily something I have to inform the merchant about and I do expect him to either be able to handle that information responsibly or not store it altogether. Storing it and being negligent is something that should be punished, and punished severely.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Also in the news by BasilBrush · 2015-10-26 12:09 · Score: 2
  
  Yes, he does indeed have a point about credit card numbers. In this day and age we shouldn't have to pass an unchanging credit card number and ccv number to a merchant. Information which allows them to make multiple transactions without any further approval.
  Rather we should be able to pass a one off number for a particular transaction, a number that identifies both people in the transaction and the amount. It'll be a long number, but that's OK we all have the technology in our pockets for it to be generated and sent without us concerning ourselves with what the number is.
  Given that banks could do this, but don't, they do as an industry bear some of the responsibility.
  Possibly it would kill Amazon's one click purchasing scheme and the like. But it would be worth it.
4. Re:Also in the news by sconeu · 2015-10-26 15:04 · Score: 1
  
  Amex used to let you generate a one-shot CC number for any given transaction.
  It was called "Private Payments".
  I wish they still had it.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
5. Re:Also in the news by houghi · 2015-10-26 23:38 · Score: 2
  
  This reminds me of a hack that happened a few years ago in Belgium. Some people claimed he was not really hacking, just using a known flaw (IIRC). His reply was that that makes it even WORSE. If a non-hacker can get into the system, it does not make the "hacker" smarter, it makes the defense more stooped.
  
  --
  Don't fight for your country, if your country does not fight for you.
Rub their noses in it by Bruce66423 · 2015-10-26 09:25 · Score: 3

The security was so bad that a boy could defeat it. Worth making fun of the ignoramus in charge of TalkTalk IT security for this. OTOH, we nerds know that teenagers are DANGEROUS...
1. Re:Rub their noses in it by tomhath · 2015-10-26 10:07 · Score: 1
  
  If a 15 y/o breaks into your house and steals your laptop is it less of a crime?
2. Re:Rub their noses in it by AmiMoJo · 2015-10-26 10:16 · Score: 2
  
  He might not have done the hacking. Could be the one who sent the ransom email, hoping to cash in. He could just be some random *chan user that the police arrested out if desperation. The cops are pretty dumb when it comes to computers...
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Such ignorance by chispito · 2015-10-26 09:31 · Score: 1

And no, I'm not talking about arresting a 15 year old.

In other news, businesses leaders are calling on the government to take "urgent action" against cyber-criminals, because somehow the security of their online systems is the government's responsibility, not theirs.
It is not the job of private industry to go on the counter-offensive and somehow stop attackers, and even if they somehow could, attribution is often incredibly difficult. Just look at the Sony hack. North Korea? Eh... Maybe at best.

Sure, the private sector can and should enhance their security, but good luck staying completely ahead of organized crime on that front. Governments absolutely should be going after cyber criminals, assuming they are actual cyber criminals and not just dumb kids (not because dumb kids get a pass but because they should focus first on malicious actors with a political or financial motive).

--
The Daddy casts sleep on the Baby. The Baby resists!
1. Re:Such ignorance by guruevi · 2015-10-26 09:51 · Score: 2
  
  It's fairly simple staying ahead of organized crime. Decent security practices counter pretty much any automated attack (which is what cyber-criminals do). Even things like storing card details is something that is well outdated and even against PCI practices (which are a minimum set anyone with a modicum of experience can comply with).
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:Such ignorance by Anonymous Coward · 2015-10-26 10:44 · Score: 1
  
  last week I was easily able to circumvent Wal-Mart's brick and mortar security by using the old "Pick-ax through the window" hack. The fools haven't even patched that yet? The manager was pleading with a local policeman to come and arrest me, but luckily for me, he just said "well its not really the governments job to enforce the laws they pass."
3. Re:Such ignorance by Pax681 · 2015-10-26 12:15 · Score: 2
  
  Make companies legally liable for easily prevented hacks.
  That's what the Information commissioners Office does within the UK and often punishes data breaches with fines
4. Re:Such ignorance by KGIII · 2015-10-26 20:12 · Score: 1
  
  You know... You probably, unknowingly, broke a law when you entered in and created the PIN information. I have no idea which law you probably broke but, given the way laws are, that was probably a felony. I'm not even kidding. It could be anything from unauthorized use of a computer system to all sorts of various banking related crimes depending on your jurisdiction. You knew it wasn't your card and even though you were doing the right thing, you still entered in and changed that data without the consent of the actual card holder.
  I don't think that opening mislabeled mail is illegal - I think that one might have been settled in the supreme court (assuming US laws). The content inside, on the other hand... Yeah, you probably committed a felony. I'd not raise a stink over it or the issuing bank could opt to contact an already affiliated district attorney (or the likes) and see if they can come up with a way to shut you up. I'm not usually the tin-foil hat type but, yeah... I'm not even sure that this is tin-foil-hat-territory. Businesses are, sometimes, damned evil and willing to go a long ways to protect their image or get revenge.
  
  --
  "So long and thanks for all the fish."
5. Re:Such ignorance by twokay · 2015-10-26 23:01 · Score: 1
  
  Maybe they should pay their taxes if they want the government to protect them from the bad teenagers. Absolutely no sympathy from me.
  
  --
  Wannabe nerd.
More seriously by TheCarp · 2015-10-26 10:13 · Score: 3, Insightful

I think what we really need is an immediate and complete cessation of any and all funding, and public attention paid to any organizations and all persons who are known to use the prefix "cyber" unironically in any context other than particular role playing games and genres of fantasy novel.

--
"I opened my eyes, and everything went dark again"
Not a matter of harsher laws, if kids can get in by gweihir · 2015-10-26 10:16 · Score: 1

Seriously, if security is this pathetic, the only laws needed are ones that put hefty fines on the companies responsible and on the individuals that are responsible for the screw-up in the company, like CEOs that did not do their job.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I propose a huge penalty... by Type44Q · 2015-10-26 10:20 · Score: 3, Insightful

I propose a huge penalty for companies that allow inexperienced programmers to hack into them. :)
Fifteen year old boy arrested .. by nickweller · 2015-10-26 10:32 · Score: 1

So it wasn't sinister Chinese/Russian hackers after all ..
Re:Don't hack computers by Anonymous Coward · 2015-10-26 10:37 · Score: 1

America is one of the few countries where prision rape is seen as being so commonplace that it's a routine joke.
bow - locks by Peter+(Professor)+Fo · 2015-10-26 13:20 · Score: 1

Without the 'cyber' we have a 15-yo walks in through the front door of a major corporation, whistles a merry tune as he steps into 'PROTECTED AREA' where the customer records are floating about like confetti and walks out. No. Once upon a time the UK justice system had competent state-funded lawyers to protect lads like this. Talk Talk still got shafted. Even if the wrong-un is convicted they were still shafted.
TalkTalk spokesman: "It's My Site!" by imac.usr · 2015-10-26 14:47 · Score: 1

"Don't you forget,
It's my site,
It never ends!"
--
for the record No Doubt did a pretty cool cover version of the song as well, check out https://www.youtube.com/watch?...

--
I use Macs for work, Linux for education, and Windows for cardplaying.
Re: Should have been AppApp! by KGIII · 2015-10-26 20:01 · Score: 1

$ sudo alias app-get="apt-get" && alias moo="update" && alias cows="upgrade"
$ sudo app-get moo && cow

--
"So long and thanks for all the fish."
Re:Don't hack computers by KGIII · 2015-10-26 20:16 · Score: 1

Not sure if serious...
Hell, in the Eastern Europe region they not only rape you but they'll often hold you down and tattoo the equivalent of "bitch" across your forehead with tattoo ink made from melted boot heels and urine. Rape's common in prisons across the globe. America just is stupid and has more people in prison. Some, a smaller number than you might think, are much more humane and actually have adequate staffing, a smaller prison population, and proper housing routines.

--
"So long and thanks for all the fish."
Well by nospam007 · 2015-10-26 23:10 · Score: 1

"the recent hack on UK phone and internet provider TalkTalk. Authorities are in the process of questioning him..." ...but he doesn't talktalk.
Re: Should have been AppApp! by poofmeisterp · 2015-10-27 03:19 · Score: 1

$ sudo alias app-get="apt-get" && alias moo="update" && alias cows="upgrade"
$ sudo app-get moo && cow
But, but.. what about the Penguins?