Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

I was reading this article about the sentencing of a 17 year old in the UK for a Web attack that happened in 2015. He says he won’t do it again but do we really want that?

http://www.infosecurity-magazine.com/news/talktalk-breach-17yearold-confesses/

It tells us that several websites were vulnerable to a SQL injection attack which leaked personally identifiable info (Pii).

Aren’t we punishing the wrong people here? I mean his motives were to show off his abilities and not to obtain and exploit the data. It also appears that the site already knew about the attack and was not able to do anything to mitigate?

I know that we would all like to live in a world where lost wallets are always returned to us with all the money inside but isn’t the company primarily responsible for continuing to neglect the security of the data?

Until we start legislative accountability for companies that hold service availability over security, we will continue to have breaches. To penalize individuals who help to find these flaws instead of congratulating them is like forgiving the dog and scolding the bone for just being there.