A 22-year-old hacker has been jailed for blackmail, after demanding over £200,000 in bitcoins from Halifax Bank to stop him releasing the financial details of 28,000 customers he had stolen through phishing attacks.
Lewys Martin was jailed for four years and two months at Southwark Crown Court on Friday, after pleading guilty to blackmail, the possession of phishing malware and 740,000 email addresses, and an unrelated offence of possessing indecent images of children. He was also handed a five-year Sexual Offences Prevention Order.
His sentencing comes just as the government's police watchdog - Her Majesty's Chief Inspector of Constabulary (HMCIC) Tom Winsor – released a damning report that accuses the police of failing to keep pace with cyber-crime.
Martin was caught after a lengthy investigation by the Met Police Cyber Crime Unit, now part of the Falcon cyber and fraud team. It dates back to May 2013 when his blackmail attempt was first reported by Halifax Bank - now owned by Lloyds, and The Sun, the newspaper to whom he had threatened to sell the data.
It is believed he obtained the 28,000 credentials by sending phishing emails and links purporting to come from Halifax Bank, to dupe customers into providing their account data.
He was demanding one bitcoin for every 10 stolen accounts, or a total of 2,800 bitcoins then worth around £207,000. He even sent a sample of the phished bank accounts to show he was a genuine blackmailer.
And the fact that Martin had captured 740,000 credentials suggests he had successfully tricked the customers of many more organisations.
Halifax Bank confirmed that its own computer network was not breached, and reminded customers that it would never send an email, text or link asking for their internet banking or card details.
Martin used anonymising software to hide his identity, but he was eventually identified and arrested.
Police forensic experts examined a seized computer and phone and found evidence linking him to the blackmail.
They also found compromised personal banking information that could be used in a fraud, along with three malware-based phishing programs designed to steal personal details and data.
Detective Chief Inspector Jason Tunn of the Met Police Cyber Crime Unit said in a statement to journalists: "The MPS is determined to track down and prosecute cyber-criminals that seek to defraud businesses and residents of London. Martin was not able to defeat the bank's security systems but instead chose to target his phishing activity at retail customers.”
Despite this success, HMCIC Tom Winsor said in a report last week that the police are “behind the curve” in tackling cyber-crime, that every police officer – not just specialist units - now needs to understand technology, and the quality of leadership and management in this area is lacking.
His 2013/14 ‘State of Policing' report into the 43 police forces in England and Wales, who receive £13 billion annually, says: “The capabilities of the police need to improve if they are to get ahead of the curve of rapidly changing criminality.
“Unreported crime such as cyber-crime is not an emerging threat: it is here now. The police need to improve the prevention and detection of such crimes.”
Winsor adds: “Almost all crime has a technological aspect to it now and every officer needs an understanding of it and the capabilities to deal with the cyber-crime they encounter.
“The quality of leadership, supervision and management at all levels will need to adapt to the new environment if the police are to meet the challenges they face.”
Winsor's warning has been echoed by cyber-security consultant, and former Scotland Yard cyber-crime detective, Adrian Culley who told SCMagaziuneUK.com that when it comes to tackling cyber-crime: “Other than two or three notable exceptions, the whole of the UK constabulary isn't even on the playing field, never mind in the game.
“A key part of the HMCIC criticisms is the wide range of abilities of constabularies in providing incident response to cyber-attacks on our critical national infrastructure.
“Incident response is difficult, it's a very expensive set of skills and it doesn't at all sit naturally into law enforcement. If you're a company and you think you've been attacked, who do you go to? It's certainly not your local desk sergeant.
“People think that GCHQ are looking after all this and they're now trying to claim the NCA is doing these things. That's where the HMCIC report has got to the eye of the storm – if it's critical national infrastructure, there should be a critical national response and it's not at all clear who that is, or if they even exist.”
Culley said it will be “fascinating to see” if the new single structure of Police Scotland works better than the current “fractured” policing model in England and Wales.
He added: “It is now vital that all police officers understand technology, cyber-crime and digital evidence. This is a challenge around the world, and no-one has yet mastered a policing model for digital society.”