TalkTalk hacker pleads guilty to role in 2015 data breach

The teenager used an SQL mapping tool and published details of the vulnerability online.


One of the hackers involved in last year's major TalkTalk breach, which saw over 150,000 customer details stolen including over 15,000 bank details, admitted his role in the attack in Norwich Youth Court today. The seemingly remorseful 17-year-old plead guilty to seven charges under the Computer Misuse Act, though not all were related to the TalkTalk hack.

While investigating his involvement in the TalkTalk breach, police discovered he had also targeted other websites with SQL mapping software, including those of Manchester and Cambridge universities. TalkTalk was his highest-profile hit, though, and after he posted details of the vulnerability online, the ISP's website was sieged more than 14,000 times, reports the Belfast Telegraph.

It's worth noting that although he bears significant responsibility for the initial hack, he wasn't accused of trying to profit from the customer data in any way. Other parties took that upon themselves after gaining access to the data. He will appear in court again on December 13th, when he'll be sentenced for the charges.

Towards the end of September, another teenager was charged for offences related to the TalkTalk breach. The 19-year-old, who was arrested last November, has been accused of multiple counts of blackmail, hacking and fraud, having allegedly tried to extort a Bitcoin ransom (worth upwards of £200,000) from TalkTalk following the attack. In total, seven people have been arrested as part of the investigation, according to the BBC.

TalkTalk is slowly starting to recover after customer details were exposed in the "significant and sustained cyberattack" it suffered in October 2015. Despite offering free upgrades to all customers in the immediate aftermath, as of the following February almost 100,000 of them had jumped ship because of the breach. Last month, the Information Commissioner's Office fined TalkTalk £400,000 for failing to patch a known vulnerability that allowed the SQL injection technique to succeed. And that's on top of the £42 million in costs the company had already incurred as a result of the hack.

Today's guilty plea happens to have coincided with TalkTalk releasing its latest financial report for the six months ending September 30th this year, with everything seeming to be settling down. "One year on from the cyber attack, we have maintained a relentless focus on looking after our existing customers and keeping up the pace across a wide range of operational improvements to make TalkTalk simpler and better for customers. As a result we have seen significant year-on-year improvements in churn and customer satisfaction," TalkTalk CEO Dido Harding said in the release.