Two ‘extraordinarily talented’ hackers have been jailed for their roles in a £77million TalkTalk cyber attack which hit 1.6million accounts and led to firm’s chief executive getting blackmail demands
Matthew Hanley, 23, broke into the site in 2015 and passed on stolen customer details to his 21-year-old friend Connor Allsopp, who then handed this on to another online user for fraud.
Judge Anuja Dhir QC, sitting at the Old Bailey, jailed Hanley for 12 months and Allsopp for eight months.
Matthew Hanley, 23, left, broke into the TalkTalk site in 2015. He passed on the stolen details of more than 8,000 customers to his friend Connor Allsopp, right, who then handed this on to another online user for fraud
TalkTalk was fined a record £400,000 for security failings which allowed the data to be accessed ‘with ease’ in one of the biggest data breaches in history.
Judge Dhir said it was a tragedy to find ‘two individuals of such extraordinary talent’ in the dock.
She told the pair, both from Tamworth in Staffordshire: ‘You were both involved in a significant, sophisticated systematic hack attack in a computer system used by TalkTalk.
‘The prosecution accept that neither of you exposed the vulnerability in their systems, others started it, but you at different times joined in.
Matthew Hanley, 23, left, with Connor Allsopp, right, who are both seen outside the Old Bailey today. Investigations revealed more than 1.6 million accounts containing sensitive data were affected
‘The attack led to you and others gaining access to TalkTalk’s clients’ confidential information. The total loss to TalkTalk as a result of this overall attack is estimated to be £77 million but the loss does not end there.
‘Given the scale of the attack, the number of people whose confidential information was stolen and then passed on to others, I’m sure that your actions caused misery and distress to many thousands of the customers of TalkTalk.
‘Your actions, the actions of others, resulted in the then-CEO of TalkTalk being subjected to repeated attempts to blackmail her for money. You were not personally involved in making those attempts but your actions helped facilitate it.’
The court heard how TalkTalk spotted ‘latency issues’ on its website early on October 21 2015 and launched an investigation.
Judge Anuja Dhir QC, sitting at the Old Bailey, jailed Hanley for 12 months and Allsopp for eight months. Pictured: An undated photo of the TalkTalk logo
Later that day, then-chief executive Dido Harding was subjected to repeated attempt to blackmail her, with demands for Bitcoins in exchange for stolen data, which included customers’ names, email addresses, mobile numbers, home addresses and dates of birth.
It is believed that 1,707 tables with 439,365,020 rows of data – 1,662,367 of which contained sensitive data – were taken by the hackers.
TalkTalk reported the cyber-attacks to police and the National Crime Agency and the next day made public statements to alert customers.
Investigations revealed more than 1.6 million accounts containing sensitive data were affected.
An analysis by BAE Systems suggested there may have been up to 10 attackers.
Peter Ratliff, prosecuting, described Hanley as a ‘determined and dedicated hacker’.
Following the hack the then-chief executive Dido Harding was subjected to repeated blackmail attempts. Photo undated
‘The total loss to TalkTalk as a result of the attack, as estimated by TalkTalk’s Chief Financial Officer, is £77million,’ he said.
‘Matthew Hanley was, up until his arrest on 31 October 2015, a determined and dedicated hacker.
‘He was entirely aware of the risks he was taking and the illegality of what he was doing.
Hanley admitted hacking TalkTalk and sharing banking and other details of more than 8,000 customers to Allsopp and an online user known as ‘Reign’.
The fourth charge, under the Computer Misuse Act, related to obtaining a number of computer files including names and passwords for server systems belonging to Nasa, handed to Hanley by a Skype contact as a ‘little present’.
Allsopp admitted supplying a file of TalkTalk customers’ details to an online user for fraud, as well as files for hacking.
The laptop which Allsopp was using at the time of the offences has never been recovered. He claims it was destroyed in a house fire.
In one of his Hanley’s online conversations with a user called ‘Simplyediting’, he boasted: ‘I’m dumping the TalkTalk ISP database haha’.
‘Dumping’ means exporting hacked information to a file on the hacker’s device.
When officers came to Hanley’s house to arrest him he was in bed, and told them: ‘I know who did it. It wasn’t the 15-year-old kid. They used his servers but it wasn’t him’.
Darron Whitehead, defending Hanley, said he was not instrumental in the exposure of Talk Talk’s vulnerability.
‘Somebody else did that. He (Hanley) became aware of that and joined the party,’ he said.
Mr Whitehead said Hanley dropped out of school at 15. He called him ‘socially inept and unable to leave the house’.