Misreporting the TalkTalk hacking

Tom Morris does an excellent job of highlighting the flaws in the reporting of the TalkTalk hack:

What’s curious though is how the mainstream media have not really talked very much to security experts. Yesterday, I listened to the BBC Today programme—this clip in particular. It featured an interview with Labour MP Hazel Blears (who was formerly a minister in the Home Office) and Oliver Parry, a senior corporate governance adviser at the Institute of Directors.

And what the latter has to say is not what you’d call accurate:

This attack was a simple SQL injection attack. That threat isn’t “changing hour by hour, second by second”. It’s basic, common sense security that every software developer should know to mitigate, that every supervisor should be sure to ask about during code reviews, and that every penetration tester worth their salt will check for (and sadly, usually find).

The short version: TalkTalk’s website security appears to have been terrible, and by allowing inexpert talking heads to distract from that, we’re failing to report the true story – corporate security failings – rather than some vague idea of cyberjihadiis, which seems to have been nonsense all along.