Two Hackers Jailed for 2015 Cyber Attack Against UK ISP TalkTalk
The Old Bailey criminal court in London has today jailed two hackers – Matthew Hanley (23) and Connor Allsopp (21) – for their part in the 2015 cyber-attack against TalkTalk’s website. This ultimately cost the broadband ISP around £77 million and exposed the personal data of 156,959 customers.
The attack itself resulted from a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against the broadband provider’s site (here), which enabled the attackers to access the personal data of 156,959 customers (in 15,656 of those cases the attackers also had access to sensitive bank account details and sort codes).
In the end TalkTalk suffered major damage to their reputation and an investigation by the Information Commissioner’s Office (ICO), which uncovered a string of similar hacking attempts on their servers, ultimately fined the provider £400,000 (here) over their “failure to implement the most basic cyber security measures.”
Since then there have been lots of arrests and several people have already faced justice. Last year they were joined by Connor Allsopp and Matthew Hanley. Both men were identified by officers from the Met’s Cyber Crime Unit as part of their Fraud and Linked Crime Online Unit (Falcon).
At the time Matthew Hanley of Devonshire Drive (Tamworth) pleaded guilty to three offences under the Computer Misuse Act, including the hacking of TalkTalk’s website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others. He also pleaded guilty to supplying an article for use in fraud – namely a spreadsheet containing customer details.
Meanwhile Conner Douglas Allsopp (also from Tamworth) pleaded guilty to supplying an article for use in fraud and supplying an article intended for in the commission of an offence under the Computer Misuse Act (i.e. a computer file to enable hacking). Today the judge, Anuja Dhir QC, decided to jail Hanley for 12 months and Allsopp for 8 months.
Anuja Dhir QC said:
“You were both involved in a significant, sophisticated systematic hack attack in a computer system used by TalkTalk. The prosecution accept that neither of you exposed the vulnerability in their systems, others started it, but you at different times joined in.”
We had expected today’s decision to be handed down last year but sometimes the wheels of justice take a long time to turn. Meanwhile TalkTalk has spent the past few years progressing toward a steady recovery and they’ve made many changes since 2015, not least related to tougher security procedures, new systems and a completely new website.
The provider’s former CEO, Dido Harding, who was subjected to several blackmail attempts as some of those involved tried and failed to extort Bitcoin in exchange for the stolen data, has long since left the ISP. TalkTalk declined to comment.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« Construction Starts on Cityfibre’s 1Gbps Home Broadband in Stirling
EE UK Adds 20GB Mobile Data Boost to Home Broadband Packages »
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
These two are from my hometown! 🙁 I actually know relatives of one of them, good to see they got what they deserved.
Has anybody from TalkTalk been jailed for allowing themselves to be vulnerable to one of the most common, well understood, and easy to defend, attacks?
Using the same logic perhaps we should jail also Sony & Tesco Bank employees for allowing themselves to be hacked? Let’s go further and also jail rape victims for wearing the ‘wrong type of clothing’.
SQL injection is something you design against from day one. It simply shouldn’t happen in 2018. If you’re vulnerable to it, it’s because of negligence. Even the ICO described their “failure to implement the most basic cyber security measures”.
Your examples are not equivalent at all.
Borat, sorry you have missed the point, it was like Talktalk having an office that contained paper files on customers and the front door was left wide open. This is why the ICO said “failure to implement the most basic cyber security measures” and fined Talktalk.
I agree with Mike when the CEO was paid £2.8 million in 2015 (https://www.independent.co.uk/news/business/talktalk-ceo-dido-harding-sees-pay-almost-triple-despite-cyber-attack-affecting-160000-customers-a7091886.html) the ICO should of fined individual members of the management board of Talktalk for failing to protect customers data.
@mike
@alex
Ok I’ll provide a more relevant example: if someone leaves their house unlocked by accident overnight (I imagine its not unheard of) and then in the morning they found out they’ve been burgled with credit cards/valuables/cash etc missing. So using Mike’s logic the victim should be jailed? After all, no sane person would go to bed leaving their doors unlocked right? Of course insurance co would probably refuse to pay out but that’s beside the point. Fact is TalkTalk aren’t unique in getting their systems hacked (no matter how simple or sophisticated the hack). Sony Playstation Network, Tesco Bank, British Scareways and only just recently Vision Direct have all been hacked. You could argue the Sony and BA hack was worse than TT’s as actual payment/CC numbers were leaked.
Of course the insurance company
Another bad example. TalkTalk is not as much the victim as their customers are. They have a legal responsibility to protect their customer data and they completely failed to do that.
“Has anybody from TalkTalk been jailed for allowing themselves to be vulnerable to one of the most common, well understood, and easy to defend, attacks?”
No and neither was anyone from BT, Sky or Yahoo when their Email system got hacked and rightly so. Perhaps the concept of a VICTIM of an Attack is new to you. Or you just like to troll with stupid arguments. Thankfully neither concept applies to the rest of common sense society.
They took no steps to protect themselves. They are not a victim. They are grossly negligent with a cavalier attitude towards security and the safety of their customers’ data.
Perhaps the concepts of ACTING RESPONSIBLY and SECURING YOUR SYSTEMS AGAINST ATTACKS SO BASIC A CHILD COULD PULL THEM OFF are new to you.
The system was “hacked”, perhaps meanings of words also elude your grasp on reality.
BT did not act responsibly when their email was hacked, nobody from BT ended up in prison.
As for “Perhaps the concepts of ACTING RESPONSIBLY and SECURING YOUR SYSTEMS AGAINST ATTACKS SO BASIC A CHILD COULD PULL THEM OFF are new to you.”
No YOUR concept is not lost on me i understand it perfectly……
Lets hope you ACT RESPONSIBLY, NEVER walk down the street, and if you do SECURE YOUR MONEY AND PROPERTY by making sure you have no cash or anything of value on you, because a CHILD (someone under 18) COULD mug you of your money and or items of value otherwise.
In this instance you would NOT be a victim but via your own morales of responsibility just an irresponsible idiot for walking down the street failing to protect your valuables because they were not SECURE.
The Police and NHS will hopefully ignore any wounds inflicted upon you, excluding the brain injury you apparently already have.
I trust im grasping your concept now.
He will no doubt try to argue he does not have a legal responsibility to defend himself, as he has tried above. The only problem with that is the law does allow for you to use reasonable force to defend yourself, coupled with the choice he would more than likely make by still carrying his money/valuables just illustrates how stupid his troll is.
Or AS HIS CONCEPT PUTS IT “no steps to protect themselves. They are not a victim. They are grossly negligent with a cavalier attitude towards security and the safety of their”… VALUABLES.
The fact he wants people from Talk Talk to be “jailed” because they did not is also hilarious given every large ISP at some point has been hacked, Be it BT and Sky and their dodgy email systems or DoS attacks to Virgin and BT in recent years.
£400,000 is not even a significant fine considering BT have been fined more than that (£42 MILLION in one instance) just for failing to deliver on time and breaching contracts with others. So the authorities involved clearly do not think Talk Talk did too much wrong, which no doubt (happily i find) angers him even more.
Clearly this is someone who for whatever reason has a hatred towards Talk Talk (sounds pretty much like another certain individual on here)… Or he truly believes those affected by criminal behaviour should be punished.
Either way we all know how well that ‘logic’ turned out for those concerned in this news. Shame he did not use his similar ‘morales’ to participate in their morale crusade. 😉
>Runs script.
>is now “hacker”
Try and realise just how awful most commercial security is. Then think more awful.
A while back I was staying in a very nice boutique hotel with my wife. The hotel is now defunct.
Someone called me from the office to say they were having a problem setting up a new piece of kit on the gateway. So I told them to plug it in and I would remote in through another WAN connection and sort it out as I though I knew the issue.
I connected the VPN and entered the IP address and logged in with the default user/password. I was quite surprised to see that the device was configured with quite a big config. Initially I suspected that the supplier had sent us an RMA unit and was about to do a full reset on it, then it dawned on me, just as I was reaching for the mouse to click on reset, that I had accidentally logged onto the hotel’s main gateway which was protected by the routers default login/password…….sure enough the VPN hadn’t stayed up.
This was a quad WAN unit a few years back so it gives you an idea of the nameless hotel’s scale. It is no longer in business.