Teenage TalkTalk hacker sentenced

He's received a 12-month youth rehabilitation order for his offences.


The teenage hacker that played a key role in the 2015 TalkTalk data breach has been sentenced to a 12-month youth rehabilitation order today, after pleading guilty to seven charges under the Computer Misuse Act last month. Alongside a nominal fine, the 17-year-old has also surrendered his iPhone and a computer hard drive to police. As The Guardian reports, the rehabilitation order is intended to "draw him from the lonely confines of a bedroom and that lonely world of computing to a family where his knowledge and skills could be put to good use and to project that out to the wider world."

The teen used an SQL mapping tool to identify a vulnerability in TalkTalk's website last year, which he then proceeded to publish online. Only two of his seven charges are related to this, though, as during the investigation police discovered he'd targeted other websites, including those of Manchester and Cambridge universities.

He didn't attempt to profit from the TalkTalk hack, and claimed he was just "showing off." But after publishing details of the vulnerability online, others ran with it and bombarded the ISPs website over 14,000 times. More than 150,000 customer details were stolen, including over 15,000 bank details.

Six people have been arrested in connection with the breach, with several court cases in progress. A 19 year-old that was also involved plead guilty today to hacking offences (concerning TalkTalk and several other companies), as well as charges of fraud, blackmail and money laundering. After getting hold of customer data, he tried to extort 465 Bitcoins from TalkTalk, worth over £250,000. He'll be sentenced in March 2017.

Speaking at the first sentencing today, chairman of the bench Jean Bonnick said to the 17 year-old: "Your IT skills will always be there -- just use them legally in the future."

In its latest financial report, TalkTalk said it's well on the road to recovery after last year's data breach, which damaged its reputation significantly. Less than six months after the attack, almost 100,000 customers had jumped ship despite the company offering free upgrades in apology.

The Information Commissioner's Office has also fined the ISP £400,000 for failing to patch a known vulnerability that ultimately led to the hack. That's small fry in the grand scheme of things, though. In its last annual report, TalkTalk said it had incurred £42 million in costs related to the breach.