Two men have been jailed for their part in the 2015 cyber-attack on TalkTalk which cost the firm tens of millions of pounds.
Matthew Hanley, 23, and Connor Allsopp, 21, both of Tamworth, pleaded guilty to offenses under the Computer Misuse Act and were jailed for 12 and eight months respectively.
Hanley is said to have hacked a key database, obtaining and supplying files to others which enabled them in turn to hack TalkTalk websites. He also admitted handing over a spreadsheet of TalkTalk customer details to others for use in fraud.
Allsopp admitted supplying a file of customer details to an online user for fraud as well as details of vulnerabilities in the database which would have enabled others to hack it.
Hanley appears to have been the main hacker, with Allsopp instructed to sell the stolen data on his behalf — including the personal and financial details of an estimated 8000 TalkTalk customers.
Although Hanley was arrested just days after the incident, on October 30 2015, police found his machines had been wiped and encrypted. However, they managed to piece together enough evidence to force a guilty plea last year.
Detective constable Rob Burrows from the Met's Falcon Cyber Crime Unit argued that the scheme could have put thousands of people at risk of fraud.
“Hanley hacked into TalkTalk's database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime,” he added.
“Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers, however the extensive investigation, specialist skills and technical expertise utilized by our team led to the identification of these two virtual offenders, bringing them into the ‘real world’”
The TalkTalk breach is said to have cost the firm in the region of £77m, although the real figure could be even higher when customer churn and other factors are added in.
Some 156,000 customers were affected, and the ISP itself was fined a near-maximum £400,000 by the ICO for security and data protection failings. A 17-year-old admitted back in 2016 that he was able to hack the firm — it's believed by exploiting SQL injection flaws on forgotten web pages.