Teenager admits hacking offences linked to TalkTalk data breach
A 17-year-old boy has admitted seven hacking offences linked to the TalkTalk data breach in October 2015.
The teenager, who cannot be named for legal reasons, was arrested in Norwich on November 3 last year and charged with breaching the Computer Misuse Act 1990 following an investigation by the Metropolitan Police's Cyber Crime Unit.
He admitted the seven charges when he appeared at Norwich Youth Court on Tuesday. Sentencing was adjourned to December 13.
Telecoms giant TalkTalk fell victim to what it described as a "significant and sustained" attack on its website on October 21, 2015.
The attack resulted in the personal data of nearly 160,000 people being accessed and was branded a "car crash" earlier this year by then information commissioner Christopher Graham.
The Information Commissioner's Office fined the firm a record £400,000 last month for security failings that it said had allowed customers' data to be accessed "with ease". The ICO said that in 15,656 cases, bank account details and sort codes had been accessed.
In July, the firm said the fallout from the cyber attack had cost it £42 million.
Laura Tams, prosecuting, said the charges stemmed from the high-profile cyber attack on TalkTalk, but also included attacks on other websites, including Manchester University, Cambridge University and that of Merit Badges, a small family company that supplies martial arts badges.
"(The youth) was identified as having been involved in the TalkTalk matter, Metropolitan Police officers attended his home address and conducted a search of that and identified electronic devices that they took away for view.
"From that they identified the further offending that you see in front of you today.
"He was using a software programme called SQL map, which the prosecution say is a hacking tool used to identify vulnerabilities on a website."
She said the tool is "legitimate software" which gives a legal disclaimer warning users that it must only be used to identify vulnerabilities on websites with mutual consent.
In the days before the TalkTalk hack, the youth gained access to a database of 693 staff and students at Manchester University containing email addresses and identity numbers which a "more capable hacker would be able to use for wider criminality", Ms Tams said.
He then attacked a library website belonging to Cambridge University, but both universities traced the IP of the computer used back to the teenager's home address.
More than 600 attempts to hack the TalkTalk website were made in the days before the breach and a person who was not the teenager attempted to download a database, Ms Tams said.
In a Skype conversation on the day of the breach, the teenager told a friend: "I'm going to get f*****."
He added that he had "done enough to go to prison".
The teenager posted the TalkTalk vulnerability on a website, showing others how to access it.
"Anyone could go on there to immediately identify where the vulnerability was," said Ms Tams.
She said the TalkTalk website was targeted more than 14,000 times after details were posted.
Ms Tams said the teenager claimed in an online conversation that he "could potentially have everyone on TalkTalk" and then mentioned "wiping and nuking his digital devices".
Referring to the hack on the martial arts badge website, she said the teenager discussed putting an offer code on the website to give a 100% discount.
A link to a photograph of the teenager and his website was found on the site of one of the universities he targeted, Ms Tam said.
"(The teenager) was the only youth who has been charged in relation to the TalkTalk operation," said Ms Tams. "The others charged are adults and I propose to say no more about that."