Two Tamworth men have been jailed for their part in the 2015 cyber attack on TalkTalk that saw the personal information of 156,959 customers compromised.
Matthew Hanley, 23, and Conner Douglas Allsopp, 21, both of Tamworth in Staffordshire, received prison sentences of 12 and 8 months respectively for offences under the Computer Misuse Act 1990.
Detective Constable Rob Burrows, the investigating officer, said: “Hanley hacked into TalkTalk’s database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime. If successful this could have put thousands of people at risk of fraud.”
According to the BBC, Judge Anuja Dhir QC told the men their actions had “caused misery and distress to the many thousands of the customers at TalkTalk”.
Hanley and Allsopp took advantage of SQL injection vulnerabilities in TalkTalk’s systems that were identified by another attacker, who used tools to scan the website for security flaws, which he then shared online.
The then-17-year-old – who could not be named because of his age – was fined £85, given a 12-month rehabilitation order, and had his hard drive and iPhone confiscated in December 2016. He told Norwich Youth Court that he was showing off.
“Basic cyber security measures”
In October 2016 the ICO (Information Commissioner’s Office) fined the company £400,000 for security failings that led to customer data being accessed. The Information Commissioner, Elizabeth Denham, said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
As Denham pointed out, it was TalkTalk’s failure to address security vulnerabilities that allowed the crooks access to customer information.
GDPR breach readiness
In many ways TalkTalk was lucky that the incident occurred before the GDPR (General Data Protection Regulation) came into effect on 25 May this year.
The Regulation’s data breach notification provisions require data controllers to report certain incidents to the ICO within 72 hours of becoming aware of them.
As well as taking action to identify and close security vulnerabilities, it’s critical to put processes in place to ensure you can react quickly and appropriately to any data breaches that you suffer.
Use our breach readiness checklist for your free personalised guide on how to achieve GDPR compliance.
You’ll receive a detailed report outlining the steps for developing a watertight data breach response plan. Designed around the ICO’s breach reporting requirements, this audit will help you discover the gaps in your security. Scoring less than 100% means you’re open to risk.