3.3 Who were the attackers?

Two days after TalkTalk discovered the attack, its then chief executive, Dido Harding, said during a media interview that the company had suffered a ‘significant and sustained’ cyber-attack and received a ransom demand from someone purporting to be the hacker. The cybercrime unit of the Metropolitan Police had started investigating the attack, but very little information about the attack was available. However, a former detective from the cybercrime unit, Adrian Culley, suspected that the attack was the work of Islamist militants, as a group claiming responsibility for the attack had stated that it was done in the name of Allah. The group also posted sample customer data, claimed to be obtained from the attack, on the website Pastebin, which is often used by hackers for publishing stolen information (Khomami, 2015).

However, three days later, a 15-year-old boy was arrested in Northern Ireland on suspicion of being related to this attack. On 29 October 2015, a 16-year-old boy was arrested in Feltham, west London. Two days later, a 20-year-old man was arrested in Staffordshire. A further two male teenagers were arrested in Wales and Norwich within the next few weeks. They were all arrested on suspicion of offences under the Computer Misuse Act 1990. It became apparent that the attack had been undertaken by a group of British youngsters.

According to a report from Channel 4 News (White, 2015), a hacker who claimed to have been involved with the TalkTalk attack said the event happened days before TalkTalk discovered the attack. The hacker was in a Skype group call with friends when one member shared a security flaw he had discovered in TalkTalk’s website via a Google search. Such a basic flaw discovery technique should not have worked on a big company like TalkTalk, so they were laughing about TalkTalk’s unbelievably bad security. The hacker further said that multiple people had used the security flaw to extract data from TalkTalk’s customer database: ‘it got passed around … at least 25 people had access to it’. He claimed he only did it for fun and to impress his mates. He further claimed that he warned TalkTalk about the security flaw by posting a tweet an hour before the attack that highlighted the flaw and tagged TalkTalk’s Twitter account, but TalkTalk were not interested.

However, not all the attackers did it for fun. The then 20-year-old man arrested in Staffordshire in 2015, Matthew Hanley, and his friend Connor Allsopp, aged 18 at the time and arrested in 2017, were trying to sell the data that Hanley had stolen from TalkTalk’s website and the website’s security flaw for profit. The pair pleaded guilty to charges relating to the TalkTalk attack.

At the time of writing, six people have been arrested in relation to the TalkTalk attack and five of them have been charged:

• Aaron Sterritt (aged 15 at the time of the attack, so his name was not revealed until 2018) was charged under the Computer Misuse Act and admitted to unauthorised access to computer material. He was ordered to complete 50 hours of community service, apologise to TalkTalk in writing and complete at least one cyber-crime education session (News Letter 2018).
• A 17 year old, who could not be named because of his age, was arrested in Norwich in November 2015. He was charged under the Computer Misuse Act and admitted to seven offences at Norwich Youth Court in November 2016. The prosecution produced evidence that in addition to performing the initial breach of the TalkTalk site, the teenager had shared information about the site’s weaknesses on the internet. He was given a 12-month rehabilitation order.
• Daniel Kelley, aged 19 from Wales, was charged with eighteen offences including money laundering and blackmail against the then-CEO of TalkTalk as well as offences under the Computer Misuse Act. Kelley pleaded guilty to eleven charges, including that of blackmail.
• Matthew Hanley and Connor Allsopp were jointly charged with eleven offences at a trial at the Old Bailey in London. They were alleged to have attacked not only TalkTalk but also computers belonging to NASA, the National Climatic Data Center, Spotify, Telstra and the RAC. Hanley was charged under the Computer Misuse Act with committing fraud against TalkTalk customers. Allsopp was charged with two offences of supplying articles. In April 2017, the two were tried at the Old Bailey in London. Allsopp pleaded guilty to all offences. Hanley admitted to the charge of attacking TalkTalk, but not to the other attacks.