The Central Criminal Court of England and Wales has convicted two further men (Matthew Hanley and Conner Douglas Allsopp) of involvement with the hacking of TalkTalk’s website during October 2015, which exposed masses of customer details and cost the provider £42m.
The attack itself was the result of a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against the broadband provider’s website (here), which enabled the attackers to access the personal data of 156,959 customers (in 15,656 of those cases the attackers also had access to sensitive bank account details and sort codes).
In the end TalkTalk suffered significant reputation damage and an investigation by the Information Commissioner’s Office (ICO), which uncovered a string of similar hacking attempts on their servers, ultimately fined the provider £400,000 (here) over their “failure to implement the most basic cyber security measures.”
Since then there have been plenty of arrests and two people have already faced justice (19 year-old Daniel Kelley from South Wales and an unnamed a 17-year-old boy). Yesterday they were joined by Connor Allsopp (aged 20) and Matthew Hanley (aged 22). Both men were identified by officers from the Met’s Cyber Crime Unit, which occurred as part of their Fraud and Linked Crime Online Unit (Falcon).
Matthew Hanley of Devonshire Drive (Tamworth) pleaded guilty to three offences under the Computer Misuse Act, including the hacking of TalkTalk’s website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others. He also pleaded guilty to supplying an article for use in fraud – namely a spreadsheet containing TalkTalk customer details.
Meanwhile Conner Douglas Allsopp of Ludgate (Tamworth) pleaded guilty, at the end of March 2017, to supplying an article for use in fraud and supplying an article intended for in the commission of an offence under the Computer Misuse Act (i.e. a computer file to enable hacking).
Andy Gould, Detective Chief Inspector (Met’s Falcon Cyber Crime Unit), said:
“Hanley hacked into TalkTalk’s website in order to steal their customers’ data and looked to sell it on to other criminals and fraudsters who would then go on to use that data for other criminal purposes.
Hanley thought that he was being smart and covering his tracks by wiping his hard drives and encrypting his data. But what our investigation shows is that no matter how hard criminals try to conceal their activity, they will leave some kind of trail behind.
This investigation has been painstaking and the work our detectives have done to trace and identify those involved has combined cutting-edge digital forensic techniques, with old-fashioned detective work that has led to the conviction of several of those involved and the investigation continues.”
Apparently detectives identified Hanley as a suspect in the early stages of their investigation and he was arrested on 30th October 2015, only a few short days after the attack itself took place. The police seized his computers but found they had been wiped or encrypted, although Hanley’s social media accounts revealed that he had been discussing his involvement and actions in the hack.
The chat logs also revealed that, after having stolen the data from TalkTalk, Hanley then got Allsopp to try and sell the personal data of customers so that the pair could profit from it. We should point out that Allsopp was unsuccessful in his attempts to sell the data and information on the ISP’s website vulnerabilities.
The pair are due to be sentenced on 31st May at the Old Bailey.
Comments are closed