By Michael Moore
The companies responsible for providing the United Kingdom’s Internet could be in danger of putting millions of customers at risk due to widespread shortcomings in their online security, a new report has warned.
Security researcher Paul Moore examined the publicly available information of the six largest ISPs in the U.K. and found plenty of bugs that could be used by hackers.
The companies involved included Virgin Media, TalkTalk. EE, BT, PlusNet and Sky, and followed the major data breach that hit TalkTalk last month.
And Moore says that his research showed that the attack on TalkTalk could have affected any of the other providers.
“There have been a couple of incidents where I had to contact ISPs to report things that were serious,” he told the BBC, noting that many of the companies had since contacted him in order to improve their security protection.
“Ordinarily they would not be so open and honest with me but, after what happened at TalkTalk, they have been stepping in quickly,” he said.
“On one occasion I notified BT and PlusNet about a bug at 14:00 and they kept people back until 22:00 to fix it.”
Moore’s research uncovered a range of security failings, including passwords being stored in plain text, exposed code that would allow hackers to inject their own code on to ISPs’ Websites and potentially load malware on to them.
There were also issues with Website encryption certificates that would have allowed anyone to apply for administrative control over them from the certificate authority and then pose as the webmaster for Websites owned by an ISP.
Following the attack on their network, TalkTalk confirmed that 156,959 customers had had their personal details accessed.
Of that, no more than 15,656 bank account numbers and sort codes were accessed. The ISP also admitted that 28,000 obscured credit and debit card numbers were also accessed.