Two Friends Who Hacked TalkTalk Receive Prison SentencesTelecom Company Says Total Losses Due to Data Breach Stand at $99 Million
Two men who pleaded guilty to participating in the massive October 2015 of London-based telecom company TalkTalk have been sentenced to serve time in jail (see TalkTalk Hack: Two Men Plead Guilty).
See Also: The Global State of Online Digital Trust
The pair, both of Tamworth, England, were sentenced on Monday at London's Central Criminal Court, better known as the Old Bailey.
TalkTalk discovered it was hacked on Oct. 21, 2015. Its estimated total losses due to the hack and resulting data breach now stand at £77 million ($99 million).
On Monday, Judge Anuja Dhir sentenced Matthew Hanley, 23, to 12 months' imprisonment, and Conner Douglas Allsopp, 21, to eight months' imprisonment.
Speaking at the sentencing hearing, the judge said both men were "individuals of extraordinary talent," but noted that they had caused significant harm, the BBC reports.
"I'm sure that your actions caused misery and distress to the many thousands of the customers at TalkTalk," she said.
The two men, who are friends, were identified as part of a lengthy investigation conducted by the Metropolitan Police Cyber Crime Unit, which is part of its Fraud and Linked Crime Online Unit, also known as Falcon.
The judge noted that neither man had found or exposed the flaw that allowed them to exploit TalkTalk's site, but said that "you at different times joined in."
In November 2016, a 17-year-old boy in the U.K. admitted to using an automated tool that flagged the vulnerability in TalkTalk's systems, and sharing it with others, the BBC reported.
All told, police have arrested six individuals, including a teenager in Northern Ireland, in connection with the TalkTalk hack. BAE Systems, which TalkTalk hired to investigate and remediate the breach, has reportedly estimated that up to 10 individuals may have been involved.
An investigation conducted by the Information Commissioner's Office - Britain's data privacy watchdog - found that the hacks resulted in personal data being exposed for almost 157,000 TalkTalk customers, plus bank accounts and sort codes for more than 15,000 customers. The exposed personal data included name, address, date of birth, telephone number, email address and financial information.
Hackers' Incriminating Skype Chats
Hanley was arrested on Oct. 30, 2015, just nine days after TalkTalk determined it was hacked. Hanley's computers and hard drives were seized and subjected to a digital forensic investigation. Detectives said they found that some devices and hard drives had either been wiped or encrypted, but said they were able to recover at least some of the data.
Police also identified incriminating chat messages, including an exchange via Skype in which Hanley told Allsopp: "Be careful with that dump, don't sell unless £1,000+ and you didn't get it from me," prosecutors told the court on Friday, during a sentencing hearing for both men, Birmingham Mail reports.
Met Police had previously noted that "detectives discovered conversations where Hanley had been discussing his involvement and actions in hacking into TalkTalk's website and also discussing how he had deleted incriminating data from his computers and encrypted his devices in order to cover his tracks."
Hanley pleaded guilty on April 26, 2017, to violating the Computer Misuse Act; accessing the TalkTalk site from Oct. 18 to 25, 2015, including hacking a TalkTalk database; as well as "obtaining files to enable the hack of websites and supplying these files to others," according to the Met Police. He also admitted to sharing a spreadsheet that contained TalkTalk customers' details for fraudulent purposes.
Allsopp was arrested in April 2016 and pleaded guilty on March 30, 2017. Police said that when they presented him with his chat logs with Hanley, he admitted to having tried and failed to sell the stolen TalkTalk customer data as well as details of the vulnerability on TalkTalk's website.
'Risk of Fraud'
"Hanley hacked into TalkTalk's database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp's financial gain. Allsopp was a willing participant in the crime. If successful, this could have put thousands of people at risk of fraud," says Detective Constable Rob Burrows from the Met's Falcon Cyber Crime Unit.
"Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers. However the extensive investigation, specialist skills and technical expertise utilized by our team led to the identification of these two virtual offenders, bringing them into the 'real world,'" says Burrows, who was the lead investigating officer in the TalkTalk hacking case. "This secured overwhelming digital evidence leading to the guilty pleas and sentencing."
The U.K.'s National Crime Agency also participated in the investigation, and officials have said TalkTalk provided essential assistance.
Burrows says the successful investigation demonstrates the difficulties criminals face when attempting to operate surreptitiously and anonymously online.
"Regardless of the efforts and techniques deployed by cybercriminals to conceal their identities and activities, they will leave a trace and will be identified, pursued and prosecuted," he says.
TalkTalk's Security Failures
The ICO's investigation into the TalkTalk breach concluded that the telecommunications giant, which trades on the London Stock Exchange, had violated Britain's Data Protection Act by failing to put proper security measures in place to safeguard user data. As a result, the ICO hit TalkTalk with a £400,000 ($515,000) fine, which was a record at the time (see: TalkTalk Breach Investigation: Top Cybersecurity Takeaways).
"TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham said in a statement at the time. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
TalkTalk was hacked in 2015 via SQL injection attacks against a database that was originally created by Italian telecommunications firm Tiscali, the ICO's investigation found. TalkTalk acquired Tiscali's U.K. operations in 2009 but failed to properly catalog and manage the related infrastructure, the ICO's report said. When the MySQL open source SQL database management system in question was hacked in 2015, TalkTalk hadn't yet updated it with a critical MySQL patch that was released in 2012, according to the report.
Following the breach, TalkTalk reported losing 95,000 customers.