Two friends have been jailed over their role in the 2015 hack of British telecoms firm TalkTalk.
Connor Allsopp, 21, and 23-year-old Matthew Hanley, both of Tamworth, Staffordshire, were jailed yesterday at the Old Bailey in London, after admitting their involvement in a data breach that saw the personal account data, bank account details, and sort codes of thousands of TalkTalk customers exposed.
The hack, which made front page news headlines as TalkTalk’s then-CEO Dido Harding attempted to defend the company’s sloppy security, was estimated to have cost the firm £77 million in lost business and saw them receive a record fine of £400,000 from the Information Commissioner’s Office.
To TalkTalk’s shame its webpage were vulnerable to elementary SQL injection attacks, and software had been left unpatched for 3.5 years.
Hanley was arrested at his home within days of the TalkTalk hack becoming public knowledge. Officers of the Metropolitan Police’s cybercrime unit seized computers and devices for forensic analysis.
However, it was quickly established that Hanley had encrypted and wiped his hard drives, making digital forensic investigation much trickier. Clearly he had become concerned that the high profile hack might lead police to his door.
However, despite Hanley’s attempts to cover his tracks, after an intensive investigation experts were able to uncover evidence from Skype conversations related to the hack and reveal instructions Hanley had given a friend to sell the stolen data on his behalf for financial gain.
That friend was Connor Allsopp, who was identified and arrested in April 2016.
Allsopp admitted that he attempted to sell the TalkTalk customer data stolen by Hanley, and put up for sale details of the SQL injection vulnerability in TalkTalk’s website code that could have allowed other criminals to its database.
“Hanley hacked into TalkTalk’s database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime. If successful this could have put thousands of people at risk of fraud,” said Detective Constable Rob Burrows, an investigating officer with the Met’s Falcon Cyber Crime Unit. “Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers, however the extensive investigation, specialist skills and technical expertise utilised by our team led to the identification of these two virtual offenders bringing them into the ‘real world’. This secured overwhelming digital evidence leading to the guilty pleas and sentencing today.”
Investigators from BAE Systems, who were brought in by TalkTalk to investigate the attack, suggest that there may have been as many as 10 people accessing its systems without authorisation in October 2015.
Amongst them was teenager Daniel Kelley, from Llanelli, Carmarthenshire, who pleaded guilty in 2016 to accessing TalkTalk’s customer database and sending a blackmail demand for 465 Bitcoins to Dido Harding.
At their sentencing, Judge Anuja Dhir described Allsopp and Hanley as “individuals of extraordinary talent.”
Personally, I find this lionisation of criminal hackers as unhelpful and often highly inaccurate.
TalkTalk left its systems woefully insecure. Anyone with a few tools downloaded from the web could have stumbled across the SQL injection vulnerabilities lurking on TalkTalk’s pages. It didn’t take a rocket scientist to exploit them, and nor did you have to be extraordinarily talented to sell on the data and details of how the hack was perpetrated to other criminals.
Isn’t it about time we praised those who fight the malicious hackers, rather than boost the ego of the criminals?