Advertisement

  1. ITV Report

Teenager admits seven hacking offences linked to TalkTalk data breach

Credit: PA

A 17-year-old boy has admitted seven hacking offences linked to the TalkTalk data breach in October 2015 after appearing at Norwich Youth Court.

Personal data of 156,959 customers including names, addresses, dates of birth, phone numbers and email addresses was said to have been accessed in the hack.

The Information Commissioner's Office (ICO) said that in 15,656 cases, bank account details and sort codes had been accessed.

The teenager, who cannot be named for legal reasons, was arrested in Norwich on November 3, 2015, and charged with breaching the Computer Misuse Act 1990 following an investigation by the Metropolitan Police's Cyber Crime Unit.

The boy admitted the seven charges when he appeared at Norwich Youth Court on Tuesday.

Credit: PA

Laura Tams, prosecuting, said the charges stemmed from the high-profile cyber attack on TalkTalk, but also included attacks on other websites, including Manchester University, Cambridge University and that of Merit Badges, a small family company that supplies martial arts badges.

Ms Tams added that the boy used a software programme called SQL map, which the prosecution described as a hacking tool used to identify vulnerabilities on a website.

Ms Tams continued the tool is "legitimate software" which gives a legal disclaimer warning users that it must only be used to identify vulnerabilities on websites with mutual consent.

In the days before the TalkTalk hack, the youth gained access to a database of 693 staff and students at Manchester University containing email addresses and identity numbers which a "more capable hacker would be able to use for wider criminality", Ms Tams said.

He then attacked a library website belonging to Cambridge University, but both universities traced the IP of the computer used back to the teenager's home address.

More than 600 attempts to hack the TalkTalk website were made in the days before the breach and a person who was not the teenager attempted to download a database, Ms Tams said.

In a Skype conversation on the day of the breach, the teenager told a friend: "I'm going to get f*****."

He added that he had "done enough to go to prison".

The teenager posted the TalkTalk vulnerability on a website, showing others how to access it.

"Anyone could go on there to immediately identify where the vulnerability was," said Ms Tams.

She said the TalkTalk website was targeted more than 14,000 times after details were posted.

In October 2016 the telecoms company was fined a record £400,000 for security failings over the "significant and sustained" cyber attack in 2015 which allowed customer data to be accessed "with ease".

The ICO said the "car crash" hack could have been prevented if TalkTalk had taken basic steps to protect customers' information.

The teenager will be sentenced on December 13.