[BreachExchange] TalkTalk Hack: Two Men Plead Guilty

Fri Apr 28 15:34:27 EDT 2017

http://www.databreachtoday.com/talktalk-hack-two-men-plead-guilty-a-9871

Two men have pleaded guilty to hacking London-based telecommunications
giant TalkTalk in October 2015.

Matthew Hanley, 22, and Conner Douglas Allsopp, 20, both of Tamworth,
England, have pleaded guilty to related offenses.

Hanley pleaded guilty April 26 at London's Old Bailey courthouse to three
offenses under the Computer Misuse Act, "including the hacking of the
TalkTalk website, obtaining files that would enable the hacking of websites
and supplying files to enable the hacking of websites to others," according
to the Metropolitan Police Service in London. Hanley also pleaded guilty to
supplying a spreadsheet - containing TalkTalk customer details - to someone
else for the purpose of committing fraud.

That someone else was Allsopp, who pleaded guilty on March 30 to supplying
a computer file for the purpose of hacking, in violation of the Computer
Misuse Act.

Both men are due to be sentenced May 31 at the Old Bailey.

An investigation conducted by the Information Commissioner's Office -
Britain's data privacy watchdog - found that the hacks resulted in personal
data being exposed for almost 157,000 TalkTalk customers, plus bank
accounts and sort codes for more than 15,000 customers. The exposed
personal data included name, address, date of birth, telephone number,
email address and financial information.

Hacker's Operational Security Fail

Both Hanley and Allsop were identified by the Met's Cyber Crime Unit, which
is part of the service's Fraud and Linked Crime Online Unit, aka Falcon.

Police arrested Hanley on Oct. 30, 2015 - just seven days after TalkTalk
was hacked - and seized computing devices and hard drives found at his
address. But investigators found multiple hard drives had been wiped, or
were encrypted, and that the data they stored couldn't be recovered.

In an operational security fail by the suspect, however, investigators said
they also discovered social media accounts via which Hanley had been
chatting, and found that they detailed how he'd hacked TalkTalk.

"Detectives discovered conversations where Hanley had been discussing his
involvement and actions in hacking into TalkTalk's website and also
discussing how he had deleted incriminating data from his computers and
encrypted his devices in order to cover his tracks," according to the Met
Police.

Police say Hanley's social media accounts revealed communications with
Allsopp, who he tried to get to sell stolen TalkTalk customers' personal
information for a profit.

Police arrested Allsopp in April 2016, and say that when presented with the
chat logs, he admitted to having tried, unsuccessfully, to sell the stolen
customer data. Police said he also admitted to trying to sell the TalkTalk
website's vulnerability details to other would-be hackers.

Detective Chief Inspector Andy Gould, from the Met's Falcon cybercrime
unit, says in statement that the arrests of Hanley and Allsopp were the
result of "old-fashioned detective work" mixed with advanced digital
forensics.

"Hanley thought that he was being smart and covering his tracks by wiping
his hard drives and encrypting his data," Gould says in a statement. "But
what our investigation shows is that no matter how hard criminals try to
conceal their activity, they will leave some kind of trail behind."

Multiple other suspects, including a teenager in Northern Ireland, have
also been arrested as part of the TalkTalk investigation.

Following the hack, TalkTalk said it had received a related ransom demand.

The Met says its investigation remains ongoing.

Catalog of Security Failures

An investigation into the October 2015 TalkTalk breach, meanwhile, found
that the telecommunications giant wasn't blameless (see TalkTalk Breach
Investigation: Top Cybersecurity Takeaways).

Indeed, TalkTalk was subsequently slammed with a record £400,000 ($516,000)
fine by the ICO. It imposed the fine after its investigation concluded that
TalkTalk, which trades on the London Stock Exchange, had violated Britain's
Data Protection Act by failing to put proper security measures in place to
safeguard user data.

"TalkTalk's failure to implement the most basic cybersecurity measures
allowed hackers to penetrate TalkTalk's systems with ease," Information
Commissioner Elizabeth Denham said in a statement at the time. "Yes hacking
is wrong, but that is not an excuse for companies to abdicate their
security obligations. TalkTalk should and could have done more to safeguard
its customer information. It did not and we have taken action."

The ICO's investigation found that TalkTalk was hacked via SQL injection
attacks against a database that was originally created by Italian
telecommunications firm Tiscali. TalkTalk acquired Tiscali's U.K.
operations in 2009 but failed to properly catalog and manage the related
infrastructure, the ICO's report said. It added that when the MySQL open
source SQL database management system in question was hacked in 2015, it
hadn't yet been updated with a critical MySQL patch that was released in
2012.

Meanwhile, the cost of the data breach cleanup for TalkTalk was estimated
to be up to $94 million. In the wake of the breach, TalkTalk also reported
losing 95,000 customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170428/950259a0/attachment.html>