Data Breach , Data Loss , Governance

TalkTalk Hack: Two Men Plead Guilty

Hacker Encrypted Hard Drives But Left Social Media Chat Trail, Police Say
TalkTalk Hack: Two Men Plead Guilty
Metropolitan Police Service headquarters at New Scotland Yard in London

Two men have pleaded guilty to hacking London-based telecommunications giant TalkTalk in October 2015.

See Also: Solving Third-Party Cybersecurity Risk - A Data-Driven Approach

Matthew Hanley, 22, and Conner Douglas Allsopp, 20, both of Tamworth, England, have pleaded guilty to related offenses.

Hanley pleaded guilty April 26 at London's Old Bailey courthouse to three offenses under the Computer Misuse Act, "including the hacking of the TalkTalk website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others," according to the Metropolitan Police Service in London. Hanley also pleaded guilty to supplying a spreadsheet - containing TalkTalk customer details - to someone else for the purpose of committing fraud.

That someone else was Allsopp, who pleaded guilty on March 30 to supplying a computer file for the purpose of hacking, in violation of the Computer Misuse Act.

Both men are due to be sentenced May 31 at the Old Bailey.

An investigation conducted by the Information Commissioner's Office - Britain's data privacy watchdog - found that the hacks resulted in personal data being exposed for almost 157,000 TalkTalk customers, plus bank accounts and sort codes for more than 15,000 customers. The exposed personal data included name, address, date of birth, telephone number, email address and financial information.

Hacker's Operational Security Fail

Both Hanley and Allsop were identified by the Met's Cyber Crime Unit, which is part of the service's Fraud and Linked Crime Online Unit, aka Falcon.

Police arrested Hanley on Oct. 30, 2015 - just seven days after TalkTalk was hacked - and seized computing devices and hard drives found at his address. But investigators found multiple hard drives had been wiped, or were encrypted, and that the data they stored couldn't be recovered.

In an operational security fail by the suspect, however, investigators said they also discovered social media accounts via which Hanley had been chatting, and found that they detailed how he'd hacked TalkTalk.

"Detectives discovered conversations where Hanley had been discussing his involvement and actions in hacking into TalkTalk's website and also discussing how he had deleted incriminating data from his computers and encrypted his devices in order to cover his tracks," according to the Met Police.

Police say Hanley's social media accounts revealed communications with Allsopp, who he tried to get to sell stolen TalkTalk customers' personal information for a profit.

Police arrested Allsopp in April 2016, and say that when presented with the chat logs, he admitted to having tried, unsuccessfully, to sell the stolen customer data. Police said he also admitted to trying to sell the TalkTalk website's vulnerability details to other would-be hackers.

Detective Chief Inspector Andy Gould, from the Met's Falcon cybercrime unit, says in statement that the arrests of Hanley and Allsopp were the result of "old-fashioned detective work" mixed with advanced digital forensics.

"Hanley thought that he was being smart and covering his tracks by wiping his hard drives and encrypting his data," Gould says in a statement. "But what our investigation shows is that no matter how hard criminals try to conceal their activity, they will leave some kind of trail behind."

Multiple other suspects, including a teenager in Northern Ireland, have also been arrested as part of the TalkTalk investigation.

Following the hack, TalkTalk said it had received a related ransom demand.

The Met says its investigation remains ongoing.

Catalog of Security Failures

An investigation into the October 2015 TalkTalk breach, meanwhile, found that the telecommunications giant wasn't blameless (see TalkTalk Breach Investigation: Top Cybersecurity Takeaways).

Indeed, TalkTalk was subsequently slammed with a record £400,000 ($516,000) fine by the ICO. It imposed the fine after its investigation concluded that TalkTalk, which trades on the London Stock Exchange, had violated Britain's Data Protection Act by failing to put proper security measures in place to safeguard user data.

"TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham said in a statement at the time. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

The ICO's investigation found that TalkTalk was hacked via SQL injection attacks against a database that was originally created by Italian telecommunications firm Tiscali. TalkTalk acquired Tiscali's U.K. operations in 2009 but failed to properly catalog and manage the related infrastructure, the ICO's report said. It added that when the MySQL open source SQL database management system in question was hacked in 2015, it hadn't yet been updated with a critical MySQL patch that was released in 2012.

Meanwhile, the cost of the data breach cleanup for TalkTalk was estimated to be up to $94 million. In the wake of the breach, TalkTalk also reported losing 95,000 customers.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.