UK ISP TalkTalk suffered a data breach back in 2015. Now, prison sentences are being handed down to two individuals partly responsible for the hack.
Back in 2015, UK ISP TalkTalk suffered a data breach. Reports at the time say that the breach affected 157,000 customers. So, it wound up being a medium size breach in the grand scheme of things. From that report:
Talk Talk said the total number of customers affected by the attack two weeks ago was 156,959, including 15,656 whose bank account numbers and sort codes were hacked.
The total is 4% of TalkTalk’s 4 million customers and is a small fraction of the number feared when news of the attack broke. The number of customers whose bank details were stolen is lower than an estimate of less than 21,000 released a week ago.
The company said 28,000 credit and debit card numbers, with some digits obscured, stolen by the hackers cannot be used for payment and customers cannot be identified from the data.
Later on, the Information Commission Office (ICO) handed the ISP a £400,000 fine for failing to properly secure the information. This was largely thanks to parts of the information being unencrypted as well as other basic security weaknesses in the system that helped to allow the hack to take place.
Now, reports are surfacing that two individuals partly responsible for the have been handed prison sentences. From Kitguru:
Although exposure of the vulnerability was admittedly the fault of an unrelated 17-year-old, two friends from Tamworth, Staffordshire have both admitted their part in utilising the weakness to steal data from TalkTalk. 23-year-old Matthew Hanley, described as a “determined and dedicated hacker,” received 12 months in prison for passing sensitive details of 8,000 customers for use in fraud to 21-year-old Connor Allsopp, who received just 8 months for his part.
“The crown cannot say precisely what was within the file that Hanley provided to Allsopp,” explains prosecutor Peter Ratliff. “However, on the basis of Hanley’s previous discussions with others, it would appear to have been the bank and other details of in excess of 8,000 TalkTalk customers. Because it was that material he repeatedly boasted of having.”
Judge Anuja Dhir QC handed out the sentences, stating that both were “involved in a significant, sophisticated systematic hack attack in a computer system used by TalkTalk. The prosecution accept that neither of you exposed the vulnerability in their systems, others started it, but you at different times joined in.
“Your actions, the actions of others, resulted in the then-CEO of TalkTalk being subjected to repeated attempts to blackmail her for money. You were not personally involved in making those attempts but your actions helped facilitate it,” Judge Dhir concluded.
With the drop in shareholder value among other costs besides the fine, TalkTalk reportedly lost an estimated £77 million for the hack.