Two Hackers Jailed for 2015 Cyber Attack Against UK ISP TalkTalk

The Old Bailey criminal court in London has today jailed two hackers – Matthew Hanley (23) and Connor Allsopp (21) – for their part in the 2015 cyber-attack against TalkTalk’s website. This ultimately cost the broadband ISP around £77 million and exposed the personal data of 156,959 customers.

The attack itself resulted from a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against the broadband provider’s site (here), which enabled the attackers to access the personal data of 156,959 customers (in 15,656 of those cases the attackers also had access to sensitive bank account details and sort codes).

In the end TalkTalk suffered major damage to their reputation and an investigation by the Information Commissioner’s Office (ICO), which uncovered a string of similar hacking attempts on their servers, ultimately fined the provider £400,000 (here) over their “failure to implement the most basic cyber security measures.”

Since then there have been lots of arrests and several people have already faced justice. Last year they were joined by Connor Allsopp and Matthew Hanley. Both men were identified by officers from the Met’s Cyber Crime Unit as part of their Fraud and Linked Crime Online Unit (Falcon).

At the time Matthew Hanley of Devonshire Drive (Tamworth) pleaded guilty to three offences under the Computer Misuse Act, including the hacking of TalkTalk’s website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others. He also pleaded guilty to supplying an article for use in fraud – namely a spreadsheet containing customer details.

Meanwhile Conner Douglas Allsopp (also from Tamworth) pleaded guilty to supplying an article for use in fraud and supplying an article intended for in the commission of an offence under the Computer Misuse Act (i.e. a computer file to enable hacking). Today the judge, Anuja Dhir QC, decided to jail Hanley for 12 months and Allsopp for 8 months.

Anuja Dhir QC said:

“You were both involved in a significant, sophisticated systematic hack attack in a computer system used by TalkTalk. The prosecution accept that neither of you exposed the vulnerability in their systems, others started it, but you at different times joined in.”

We had expected today’s decision to be handed down last year but sometimes the wheels of justice take a long time to turn. Meanwhile TalkTalk has spent the past few years progressing toward a steady recovery and they’ve made many changes since 2015, not least related to tougher security procedures, new systems and a completely new website.

The provider’s former CEO, Dido Harding, who was subjected to several blackmail attempts as some of those involved tried and failed to extort Bitcoin in exchange for the stolen data, has long since left the ISP. TalkTalk declined to comment.