The four-year jail term announced today for young hacker Daniel Kelley has raised a slew of reactions to his actions, the moral stance, the vulnerabilities companies have despite high-end security installations, and, above all, his amazingly young age when he managed the hacks that caused multi-million pound losses.
"Daniel Kelley is an opportunistic and utterly ruthless hacker who, motivated by financial gain and spite, caused enormous financial and reputational damage to his victims," said the Crown Prosecution Service (CPS) specialist prosecutor Russell Tyner in a CPS statement.
His indictment comes hardly two months after a university dropout was jailed for running a dark web business selling illegal drugs and for hoarding a catalogue of child sex abuse images. The young age of these convicts has raised concerns, and moves are afoot to nip the trouble in the bud.
A hacker is born
News reports say the meek youngster from Llanelli in southwest Wales, took to hacking during his school days after he failed to obtain the cut-off GCSE grades to join a computer course at his local college, Coleg Sir Gar. The teenageer, confident on his computer skills, felt offended.
Kelley, then just 16, hacked into the college network using distributed denial of service (DDoS) to screw up the college's website, disturbing teaching hours and exam schedules. However, things soon spiralled.
The college's IT network was connected to the Welsh Government's public sector network (PBSA). The attacks on Coleg Sir Gar spilled over to the larger network, affecting other educational institutions, hospitals, emergency services and councils. He was arrested, soon got bail, and the youngster turned a full-time hacker.
The CPS said the 22-year-old admitted blackmailing at least six organisations by threatening to sell their hacked data on the ‘dark web’ unless these firms paid him hundreds of thousands of pounds in Bitcoin. "Where they refused, he made good on his threats."
His hacking spree came to an end with the TalkTalk cyber-attack, which cost the company £77 million after the personal details of 157,000 customers were stolen. According to the probe report, 156,959 employee accounts were accessed, of which 15,656 had their bank account and sort code numbers accessed.
Kelley put this data for sale at £1.1 million on a dark web site called ‘dbs4sale’. TalkTalk lost £42 million as a direct result of the attack and £35 million in other costs, including the loss of 95,000 customers.
According to the prosecution documents, Kelley operated largely through Tor and had also disguised his IP address, which made detecting his criminal activities extremely difficult. However, the CPS said it was able to prove his culpability after digging up and analysing the evidence hidden in his digital devices, including chat logs and Bitcoin accounts.
Other files found on his computer included thousands of credit card numbers and details of the holders. Software and other tools designed to assist or enable hacking were also recovered from his computer, including SQLi tools which allow for rapid scanning of the entire internet.
"If Kelley’s testimony is true, and he missed a place at college due to his grades, then there is the possibility that traditional education and assessment might be rejecting the talent pool too early. If there had been an alternative way to provide a safe space for him to learn how to harness his skill he might not have ended up where he is today," said Immersive Labs CEO James Hadley.
According to Hadley, individuals with the skills necessary for hacking are not always academically strong in the traditional sense but could have an aptitude for the creative and free-thinking required to be good at cyber-security.
"These people (amateur hackers) have a clear interest and often a talent for breaking things and putting them back together and can be an asset to the cyber-security industry. They do, however, need a safe environment to practice and hone their skills to avoid the risk of getting into trouble," he said.
Catching them young
The UK government this month sanctioned £18.5 million to boost diversity in artificial intelligence technology roles and innovation in online training for adults. This is the latest in a series of steps by public private sectors players to spot and train young technologists and deter them from breaking the law.
In 2017 the government launched a £20-million digital skills initiative, called the Cyber Discovery Programme, to encourage interest in cyber-security among teenagers. The scheme placed online and offline challenges to teenagers, including tasks that pitted participants against fictional hackers.
The CyberFirst programme launched by the National Cyber Security Centre, UK, trains youngsters from 11 to 19 years of age as cyber-professionals through competitions, student bursaries, courses and competitions.
The Cyber Security Challenge UK and the National Crime Agency (NCA) have been conducting a nationwide series of "Intervention Days" designed to educate young "low-level intervention recipients" and their parents or guardians through two tailored tracks on the consequences of breaking the law. The latest edition was held this month.
The North West Regional Organised Crime Unit and Irwin Mitchell Solicitors in Manchester are also part of this year-long programme, which promotes "positive diversions" for teenagers tempted to misuse their technical abilities and inadvertently commit low-level cyber-crime.
The attendees and their guardians gain a better understanding of the offences that fall under the Computer Misuse Act (CMA) 1990, say the organisers.
There has been a rise in the number of young individuals engaging in cyber-crime, for non-traditional reasons, said National Crime Agency operations officer Ethan Thomas. Workshops like these are one of the tools designed to deter and divert those with technical ability and at risk of criminal conduct, he said.
Private business initiatives have also pitched in to lend a helping hand. Bluescreen, a Plymouth-based cyber-security training and certification business, employs young, grey-hat hackers deemed by the authorities as worthy of a second chance.
The company has worked with government agencies such as the National Crime Agency to offer stable careers to juvenile hackers caught taking their first steps in cyber-crime.