Teenager faces prison for cyber crime spree which lasted a year
Two teenagers involved in a £42 million TalkTalk data hack were brought before the courts - with one facing jail for a year-long cyber crime spree.
A 17-year-old boy said he was just "showing off" to his friends when he posted details of a chink in the firm's online security.
Even though he did not gain from it, the youth paved the way for others to exploit the weakness for money by accessing the data of 160,000 people.
Among the key players was 19-year-old student Daniel Kelley who went on to blackmail chief executive Dido Harding and others at the company for 465 Bitcoins, worth around £285,000 at today's rate.
Police said that Kelley played a "focal" role in the TalkTalk hacking last October as part of a year-long cyber crime spree, before he was caught.
Officers tracked down his online persona to his real-world identity through investigations into the blackmail emails sent to TalkTalk staff.
After identifying him, officers found he was already on bail for other cyber crime.
At an Old Bailey hearing, Kelley, pleaded guilty to 11 charges of hacking, blackmail, fraud and money laundering.
Prosecutor Robert Davies said the defendant had also hacked into the website of Coleg Sir Gar, the Welsh college where he was a student.
Kelley's DDoS - Distributed Denial of Service - attack on his own college computers had interfered with the system at a local hospital nearby, keeping doctors waiting for results.
The defendant accepted that on November 4 last year he offered to supply computer files containing details of the users of the TalkTalk website, Telecom Group Plc, JJ Fox Ltd and TAFE Queensland.
The court heard he had about 5,000 sets of credit card data which were "clearly of interest to those who want to commit fraud", Mr Davies said.
He posted on a "hacker type site", offering sensitive data for sale, the court heard.
And he demanded "with menaces" 15 Bitcoins from RC Hobbies in Australia, a company which makes remote controlled cars.
The Crown accepted the guilty pleas and said a further eight charges will lie on file as it was not in the "public interest" to pursue a trial.
The defendant, of Heol Dinbych, Llanelli, South Wales, was remanded on conditional bailed until sentencing on March 6.
Judge Paul Worsley told Kelley: "You are a young man of 19 with no previous convictions.
"I renew your bail on the same terms as before but I warn you of this: in any view these offences to which you have pleaded guilty, custody is inevitable and you should prepare yourself."
Outside court, Detective Chief Inspector Jason Tunn said: "Daniel Kelley pleaded guilty to hacking into the TalkTalk database, blackmailing the CEO and offering to sell data. These are very serious offences. He is a focal offender for this.
"What I would say to people considering being involved in cyber crime and sitting there in the confines of your bedroom thinking you are anonymous - if you commit offences we will collaborate with other forces and the National Crime Agency. If we identify you, we will arrest you."
He added: "Cyber crime and data breaches are on the increase. What companies have to do now is make sure they are as secure as they can be."
"Kelley is a prolific and calculating cyber criminal who has caused considerable damage, harm and loss; not only to those he directly blackmailed, but to the hundreds of thousands of customers of the companies whose personal details have either been stolen or used to try and extort money.
"The fact that Kelley was taking part in the cyber-attack against TalkTalk whilst on police bail for other similar offences shows his total disregard for the law. Excellent digital forensic and investigative work by all the officers has shown that cyber criminals cannot hide themselves totally and we will do all we can to identify and prosecute them.
Meanwhile at Norwich Youth Court, the 17-year-old youth , who cannot be named, was handed a 12-month youth rehabilitation order and had his iPhone and computer hard drive confiscated.
The teenager found the vulnerability in TalkTalk website using "legitimate software" and shared details of this online.
While he did not exploit the information for gain, the TalkTalk website was targeted more than 14,000 times after the boy exposed the vulnerability.
The firm said the fallout from the cyber attack in October 2015 cost it £42 million and the personal data of nearly 160,000 people was accessed.
The teenager told magistrates "I was just showing off to my mates" as he admitted seven hacking offences.
In a Skype conversation on the day of the breach, he told a friend he had "done enough to go to prison".
Sentencing him on Tuesday, chairwoman of the bench Jean Bonnick said: "Your IT skills will always be there - just use them legally in the future."
Two of the seven charges related to the TalkTalk hack, and the boy admitted targeting other websites including Manchester University, Cambridge University and that of Merit Badges, a small family company which supplies martial arts badges.
An application to lift reporting restrictions on the court case and name the teenager was refused by magistrates.
Chris Brown, mitigating, said: "Part of the work that's ongoing is to draw him out of his bedroom and into the family and properly into the public arena, to someone who doesn't hide behind a computer for nefarious purposes.
"He has already committed an offence that has changed his life within his family, his home, his future prospects.
"I would ask you don't expose that to the world for him to continue to bear that burden through his young life."
He said the teenager, who sat in court with his mother, was from a supportive family but the "one place you can't be so protective these days is online".
After the hearing, Laura Tams, of the Crown Prosecution Service Organised Crime Division, said: "This case involved the deliberate exposure of a security issue on the TalkTalk website which is used by thousands of people every day.
"Through analysis of online chats and other digital footprints, prosecutors were able to demonstrate exactly how the defendant found this weakness and shared the details online."
The teenager must complete 24 hours of activities as part of the youth rehabilitation order, and he was ordered to pay £85 court costs and a £15 victim surcharge.