The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Two men who admitted their part in the October 2015 data breach of internet service provider (ISP) TalkTalk have been jailed.

Matthew Hanley of Tamworth pleaded guilty to offences under the Computer Misuse Act 1990 in April 2017 for his role in the attack and received a 12-month jail term.

Connor Allsopp, meanwhile, pleaded guilty on 30 March 2017 to supplying an article for use in fraud and supplying an article (a computer file to enable hacking) intended for the commission of an offence under the Computer Misuse Act 1990.

The men were finally sentenced yesterday, after Hanley was arrested as long ago as 30 October 2015.

While Hanley’s IT equipment was seized, officers established that their storage had either been wiped or encrypted.

According to the Metropolitan Police statement, the investigation into Hanley’s communications uncovered evidence concerning his involvement in the attack and the actions he took to destroy and conceal evidence. Having successfully gained access and acquiring the data, he instructed Allsopp to sell the data on his behalf for financial gain.

Allsopp was identified and arrested in April 2016. He admitted attempting to sell the customer data Hanley had stolen and sell details of TalkTalk vulnerabilities that would have enabled others to hack into the TalkTalk database.

Detective Constable Rob Burrows, the investigating officer, claimed that Hanley had “hacked into TalkTalk’s database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain”.

He continued: “Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers,” but added that the Metropolitan Police had nevertheless managed to secure “overwhelming digital evidence” enabling a prosecution to proceed.

However, TalkTalk also came in for criticism for the lackadaisical security that enabled Hanley and Allsopp to somewhat easily break-in to the ISP’s back-end systems.

At their trial, the court “was told how 22-year-old Matthew Hanley used a ten-year-old SQL injection flaw to break-in to TalkTalk’s systems, enabling him to peruse a customers’ personal and financial details, which he passed on to his friend, 20-year-old Connor Allsopp”.

At least four people, including Hanley and Allsopp, were arrested and tried for their involvement in the attack.

TalkTalk was fined the maximum amount under the old Data Protection Act – £500,000, with a 20 per cent discount for early payment.

Source: Computing