Matthew Hanley and Connor Allsopp (pic: Metropolitan Police)
Two men, Matthew Hanley (23) and Connor Allsopp (21), from Tamworth in Staffordshire have been sentenced at the Old Bailey for hacking into UK telco TalkTalk. The 2015 attack triggered a data breach that impacted an estimated 1.6 million customer accounts and cost the company up to £77 million.
In sentencing, Judge Anuja Dhir decried the fact that "two individuals of such extraordinary talent" were in the dock, but noted, "I'm sure that your actions caused misery and distress to the many thousands of the customers at TalkTalk."
Judge Dhir said that the pair had not "exposed the vulnerability in [TalkTalk's] systems... but you at different times joined in".
Shortly before his arrest, Hanley wiped data from his computer, encrypted hard drives and deleted Skype chats. Hanley was sentenced to 12 months while Allsopp received a total of eight months in jail.
Detective constable Rob Burrows from the Metropolitan Police Service’s Falcon Cyber Crime Unit, said: "Hanley hacked into TalkTalk's database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime. If successful this could have put thousands of people at risk of fraud.
"Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers. However, the extensive investigation, specialist skills and technical expertise utilised by our team led to the identification of these two virtual offenders, bringing them into the ‘real world’. This secured overwhelming digital evidence."
TalkTalk recognised anomalies on its site on 21 October 2015, launching an investigation and subsequently warning customers the next day. The company called in BAE Systems to investigate the breach, which estimated the total loss to TalkTalk was up to £77 million. BAE also suggested in a detailed analysis of the attack that up to 10 attackers may have been involved.
TalkTalk was later fined £400,000 – a record at the time – by the Information Commissioner's Office (ICO) over the breach which the watchdog said could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
The attackers used SQL injection to access the data, a simple attack vector that TalkTalk ought to have secured as it posed a significant risk, the ICO investigation found.
"TalkTalk’s failure to implement the most basic cyber-security measures allowed hackers to penetrate TalkTalk’s systems with ease. In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting," said the Information Commissioner Elizabeth Denham in a statement.