Across the course of a week back in October 2015, telecoms provider TalkTalk fell victim to a data breach that saw the personal data of nearly 160,000 customers compromised. The breach cost TalkTalk £77 million, according to the latest estimates, including what was a record fine by the Information Commissioner’s Office (ICO) in 2016 of £400,000.
It has also cost the perpetrators of that breach, but some might argue that the attackers got off pretty lightly compared to TalkTalk itself.
Matthew Hanley and Connor Allsopp, who had both pleaded guilty to various charges under the Computer Misuse Act relating to the TalkTalk network breach, were sentenced this week to 12 months and eight months respectively.
The judge, Anuja Dhir QC, said the pair were "individuals of extraordinary talent" while the prosecuting barrister, Peter Ratliff, singled out Hanley as a "determined and dedicated hacker".
The sentencing of Hanley and Allsopp comes a year after another of those involved, who could not be named as he was 17 years old at the time, was handed a rehabilitation order and had his iPhone confiscated. His involvement was in uncovering the TalkTalk vulnerabilities and sharing that information with other cyber-criminals.
So what does this say about the judiciary’s understanding of the crimes of the two, crimes which were hardly extraordinary in their methodology and more like the actions of script kiddies, if truth be told.
Jonathan Armstrong, a partner at law firm Cordery, told SC Media UK that it's "hard in some respects to second-guess the judge’s comments without hearing all of the evidence, but it seems that this type of wording mirrors the company’s assessment".
Armstrong argues that nobody likes to admit that their systems have been breached by two individuals working out of their back bedroom. "They commonly call attacks ‘sophisticated’ to try and imply that they were up against something no-one could defend against," he said.
And what about those sentences which, in all three cases mentioned, seem pretty lenient when you look at the financial and reputational cost to TalkTalk.
Spencer Young, regional VP EMEA at Imperva, compares the TalkTalk attack to that of the Hatton Garden heist a few years ago where the robbers got away with a £29 million haul. In that case, the mastermind behind the theft was handed a sentence of six years and three months.
"Hackers are so often mistaken in an almost romanticised way for being intelligent, different and therefore misunderstood young people," Young says. "The harsh reality is that they are criminals, period."
Considering the cost to TalkTalk, Young says it is "very difficult to rationalise the sentences, and it does little to deter others given the potential gains to be made."
Darren Anstee, NETSCOUT's chief technology officer, agrees and told SC that "it could be argued that the punishments for these kinds of crimes need to act as more of a deterrent".
Not everyone thinks the judge was being lenient, however, and with some commentators arguing that the cost to TalkTalk is a red herring.
"The sentences are fair; these two were not career cyber-criminals and the ruling should act as a deterrent to other opportunistic individuals who fancy their chances," Steve Nice, chief security technologist at Node4 argues. "The financial damage suffered by TalkTalk should not even be a consideration in the sentence, as the company failed to take basic steps to protect customer data."
Talking of failing to protect customer data, what should enterprises learn from the TalkTalk breach, by way of the breach methodology itself, the immediate incident response failings and the (lack of) consequences to those in charge at the time?
David Atkinson, founder and CEO of Senseon, says that since the introduction of GDPR – which came after the TalkTalk breach – there is now an emphasis on the need for transparency and speed when dealing with data breaches. "Any companies that do not respond quickly or announce the breach are likely to receive a heavy penalty," Atkinson says. The most important lesson to learn is "if a similar breach happened today, we would likely see a very different scenario play out".
Adam Brown, manager of security solutions at Synopsys, said, "The most important lesson is that firms must take software security seriously – it must be a topic for senior management. From there, process, people, policy and technology can be built out to avoid terrible events like this one."
We'll leave the last word to Josu Franco, strategy and technology advisor with Panda Security who told SC: "Enterprises must learn that cyber-risk and business-risk cannot be separated. Top business decision makers need to learn this and decide and commit on the level of cyber-risk they are willing to take. And CISOs must learn how to communicate cyber-risks in business terms, in a way a CEO, board member or judges can understand."