ICO: Three-Year-Olds Can Hack Websites

Corporate firms really need to tighten their collective cyber security belts, after the Information Commissioner told MPs that even a three-year old can be taught how to hack a website.

Christopher Graham made the comments during questioning by the Commons Culture, Media and Sport Committee in the wake of the hack of ISP TalkTalk in October, in which 157,000 people had personal details accessed.

Child’s Play

He told the MPs that hacking into company websites has become so simple that even a three-year-old can be shown how to do it.

Graham cited the easy availability of online “how to do it” guides, which provide simple instructions on how to stage a cyberattack that even a small child could follow.

“You can get on the internet lots of ‘how to do it’ videos including one… which shows a cyber expert showing his three-year-old child how to break into a company website,” Graham was quoted as telling MPs by Sky News.

“Companies ought to be as canny as the clever people out there who are probably breaking the Computer Misuse Act and a few other bits of legislation,” he reportedly said. “The threat from three-year-old children should not be taken lightly.”

The easy availability of these hacking guides was also mentioned by Simon Rice, ICO group manager

“You can go onto YouTube, you can go into your favourite online search engine and type in ‘how do I do an SQL injection attack?’ [a type of cyber attack] and you will get a range of tutorials, both paper documents and videos, to demonstrate how to do it,” said Rice. “There are a lot of automated tools, that essentially a three-year-old can press the button.”

Late last year for example, the hacker collective Anonymous released a “noob guide” that showed how people could join its hacking efforts to take down the online presence of Islamic State (ISIS).

TalkTalk Investigation

The House of Commons culture, media and sport select committee launched an inquiry into the TalkTalk hack late last year. Indeed, TalkTalk CEO Dido Harding has already given evidence to the committee.

The Information Commissioners Office (ICO) is also investigating the TalkTalk data breach, and although Graham did not reveal any specific details about the ICO’s investigation into TalkTalk, he did confirm that he hoped the probe would be completed before the end of 2016.

The Information Commissioner and urged other firms to make sure they had precautions in place to ensure they were not victims of similar attacks.

“Any other company with half a brain should be checking their systems now to make sure that they don’t land up in the same situation,” he reportedly said.

Before Christmas, Codified Security told TechweekEurope that it was concerned that TalkTalk had not learned its lessons from the hack, and remains vulnerable to another cyber attack after researchers discovered ongoing vulnerabilities.

Martin Alderson, Codified’s chief technology officer told TechWeekEurope that he nearly “fell off his chair” when he discovered the flaws, especially in light of the devastating hack.

But TalkTalk insisted that it was taking its security seriously and was using “industry experts” to test its cyber security.

Are you a security pro? Try our quiz!