Twenty-two-year-old Daniel Kelley from Llanelli, South Wales has been sentenced to four years in detention for his role in the TalkTalk hack that affected as many as 157,000 of TalkTalk’s subscribers.
Kelley was first arrested in November 2015 in a joint action carried out by the Met’s cyber crime unit, the Police Service of Northern Ireland’s cyber crime centre and the National Crime Agency and was the fifth suspect to be arrested following the hacking of TalkTalk that cost the company between £40 million and £45 million in losses.
The four-year sentence was handed out to Kelley on Monday by the Central Criminal Court of England and Wales, popularly known as the Old Bailey. In 2016, Kelley pleaded guilty to stealing personal data from compromised TalkTalk servers, blackmailing affected customers and demanding ransom, and to committing a range of other cyber crime offenses.
The hacking of TalkTalk's internal servers took place after a 17-year old computer geek discovered a potential flaw in the firm's online security and posted details about the same on hacker forums. A number of eager hackers pounced on the opportunity and exploited the vulnerability to infiltrate TalkTalk's servers. A total of 14,000 hacking attempts were made in order to breach TalkTalk's website.
Two other TalkTalk hackers were also jailed in November
The sentencing of Daniel Kelley took place not long after two young British hackers named Matthew Hanley and Connor Allsopp were jailed for twelve months and eight months respectively for their role in the TalkTalk hack.
While pronouncing her verdict, Judge Anuja Dhir QC said that Hanley and Allsopp were involved in a "significant, sophisticated systematic hack attack in a computer system used by TalkTalk" and even though the breach cost TalkTalk an estimated £77 million, "the loss does not end there". She added that Hanley and Allsop were "individuals of extraordinary talent" but their actions had caused misery and distress to many thousands of the customers at TalkTalk.
The cyber-attack on TalkTalk's servers affected up to 157,000 subscribers and resulted in the loss of more than 15,000 bank account numbers. The data breach cost TalkTalk between £40 million and £45 million as well as a total of 101,000 customers in the third quarter of 2015. TalkTalk won over a majority of its subscribers later by offering an unconditional apology as well as through free offerings.
A year after the attacks took place, the Information Commissioner's Office issued a record £400,000 fine to TalkTalk "for security failings that allowed a cyber attacker to access customer data “with ease”.
The ICO noted that TalkTalk failed to properly identify a database containing customer records that featured inherent vulnerabilities and the same was infiltrated by hackers using SQL injection, resulting in a massive breach of customer records.
"TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action," said Elizabeth Denham, the Information Commissioner.