UK Man Sentenced for 2015 TalkTalk Hack22-Year-Old Also Attacked His Former School
A U.K. man was sentenced on Monday to four years in jail for his role in several cybercrimes, including the October 2015 hack of London-based telecom company TalkTalk that cost the firm nearly $100 million.
Daniel Kelley pleaded guilty to 11 charges in 2016, including the attack against TalkTalk as well as a separate hack of his former school and a number of other cybercrimes, according to the Metropolitan Police Service.
As part of his guilty plea in 2016, Kelley admitted to blackmailing TalkTalk and four other organizations, hacking TalkTalk and his local college, encouraging and assisting in hacking, and converting proceeds of blackmail from a victim, authorities said.
Kelley will serve his prison time at a young offenders institute because he was a teenager at the time these attacks took place, authorities said.
Fallout From TalkTalk Attack
Kelley was arrested in July 2015 for cybercrimes that included hacking systems, stealing data and attempting to blackmail and extort money from his victims. While out on bail for those charges, the Metropolitan Police’s Cyber Crime Unit arrested him again, along with several others, for the hacking of TalkTalk in October 2015, authorities said.
An investigation conducted by the Information Commissioner's Office - Britain's data privacy watchdog - into the TalkTalk hack found that the attackers exposed the personal data of nearly 157,000 customers, plus bank accounts and sort codes for more than 15,000 others (see: Two Friends Who Hacked TalkTalk Receive Prison Sentences).
The exposed personal information included names, addresses, dates of birth, telephone numbers, email addresses and financial data. The attack cost TalkTalk about £77 million ($99 million), authorities previously said (see: TalkTalk Breach Fuels Call for Tougher UK Laws).
Investigators eventually arrested six individuals in connection with the TalkTalk hack, and several of them have already been imprisoned for their roles in the incident.
Over a two-year period between 2013 and 2015, when he was a teenager living in Wales, Kelley was involved in a number of cybercrimes, according to the Metropolitan Police.
At one point, Kelley attempted to extort some 753 bitcoins from victims that at the time were valued at more than £123,700 ($157,400), and succeeded in collecting £4,400 ($5,600) in bitcoins that he later attempted to convert into cash, authorities said. The companies and victims were located in the U.K., Australia and Canada, police said.
Kelley threatened to release credit card and other information on various dark net forums if victims didn’t pay, authorities said.
"Kelley is a prolific and ruthless cybercriminal and blackmailer who caused considerable damage, distress, harm and loss to victims' worldwide," Acting Detective Sergeant Rob Burrows of the Met's Cyber Crime Unit, noted during Monday's sentencing.
Kelley turned against his former school when he did not get good enough grades to attend a specific computer course, the BBC reported. That particular incident not only disrupted the school and its students, but also affected the local government in Wales, including a computer crash at a local hospital, the BBC reported.
In his defense, Kelley's attorneys argued that their client has been diagnosed with Asperger's syndrome and has suffered from depression, according to the BBC.
Failures at TalkTalk
The investigation by the Information Commissioner's Office into the TalkTalk hack found that the attack started with a SQL injection that targeted a database originally created by Italian telecommunications firm Tiscali, according to the office's report.
TalkTalk acquired Tiscali's U.K. operations in 2009, but it failed to properly catalog and manage the related infrastructure, the Information Commissioner's Office report found. When TalkTalk's MySQL open source SQL database management system was hacked in 2015, the company hadn't yet updated it with a critical patch released three years before, according to the report.
The Information Commissioner's Office fined TalkTalk £400,000 ($515,000), which was a record at the time in the U.K. for a data breach (see: TalkTalk Breach Investigation: Top Cybersecurity Takeaways).