Teenage hacker in data breach at TalkTalk was ‘just showing off’
THE head of the telecoms giant TalkTalk fell victim to blackmail by cyber criminals after a teenage boy hacked into its website then boasted about it online, a court has heard.
The boy, aged 17, who cannot be named for legal reasons, used hacking software to identify TalkTalk’s vulnerabilities. He then posted the details online, which resulted in the website being targeted more than 14,000 times, Norwich Youth Court was told.
The teenager, who also targeted data held by Manchester University and Oxford University, admitted seven hacking offences and told magistrates: “I didn’t really think of the consequences at the time. I was just showing off to my mates.”
TalkTalk eventually fell victim to a “significant and sustained” attack in which the personal data of nearly 160,000 people was compromised. It was branded a “car crash” earlier this year by the then information commissioner Christopher Graham.
The TalkTalk attack prompted an investigation by the Metropolitan Police Cyber Crime Unit and the teenager was arrested in Norwich on Nov 3 2015 and charged with breaching the Computer Misuse Act 1990.
Laura Tams, prosecuting, said he used a “legitimate software” program, SQL map, which is a tool to identify vulnerable web security. But it should only be used if the website consents. Ms Tams said that in the days before the TalkTalk hack, the youth had gained access to data on 693 staff and students at Manchester University, gleaning details which a “more capable hacker would be able to use for wider criminality”.
He then attacked a library website for Cambridge University.
She said the boy had claimed in an online conversation that he “could potentially have everyone on TalkTalk” and then mentioned “wiping and nuking his digital devices”.
Chris Brown, in mitigation, reminded the court that it was not the prosecution’s case that what happened at TalkTalk “lies solely at the teenager’s door”. But that a third party took advantage of the situation.
“That’s someone acting completely apart from him [the teenager]. That person used the vulnerability in TalkTalk days later to demand things and emailed the chief executive with blackmail efforts,” Mr Brown said.
“You’re dealing with someone who at the time was just 16 years old, who created a number of personas online,” said Mr Brown. “Personas that talked about his abilities as a hacker.”
“The thrill was in the chase,” Mr Brown added. “It was not in damaging their website or causing loss to them. It was playing.”
Sentencing was adjourned to Dec 13, but the chairman of the bench, Jean Bonnick, said magistrates may be minded to spare the teenager jail.