2015 TalkTalk data breach

TalkTalk Group head office on Evesham Street, London

In October 2015, British telecommunications provider TalkTalk suffered a cyber-attack against its websites in which attackers exploited SQL injection vulnerabilities in legacy pages inherited from its acquisition of Tiscali. TalkTalk initially described the incident as a "significant and sustained cyber-attack" and reported receiving a ransom demand from individuals claiming responsibility. ^[1]

Early estimates suggested that personal and banking details of up to four million customers might have been at risk, but TalkTalk later stated that 156,959 customer accounts had been accessed, including 15,656 sets of bank account and sort code details and partial data from 28,000 credit and debit cards. The company said that the card details were obscured and that it was not legally required to encrypt the data that had been stolen. ^[1]

The breach prompted widespread media coverage, parliamentary scrutiny and regulatory investigation. TalkTalk estimated the direct and indirect costs of the incident at around £ 77 million and subsequently lost tens of thousands of broadband customers. In 2016 the Information Commissioner's Office fined the company £400,000 for failing to implement appropriate security measures, and in the following years several individuals were convicted of hacking, fraud and related offences arising from the attack, including Daniel Kelley, who was sentenced to four years' detention in 2019. ^[1]

Context

Dido Harding, who was chief executive of TalkTalk at the time of the 2015 data breach

TalkTalk was founded in 2003 as a subsidiary of Carphone Warehouse. Plans were announced in April 2009 to split TalkTalk into a separate listed company. ^[2] One month later, Carphone Warehouse agreed to purchase the UK subsidiary of Tiscali in May 2009 for £236 million. ^[3] The purchase was approved by the European Union Competition Commission in June 2009, ^[4] and the sale was completed on 6 July 2009. ^[5] Carphone Warehouse confirmed the business would merge into TalkTalk ahead of the planned demerger. ^[6] The Carphone Warehouse's full-year earnings statement in November 2009 revealed the TalkTalk customer base had risen to 4.1 million following the purchase of Tiscali UK earlier in the year. ^[7] Tiscali UK closed to new business on 7 January 2010, and its portal content moved to the TalkTalk website. ^[8] This left TalkTalk running systems that previously belonged to Tiscali. The ICO later found that TalkTalk was 'not aware' that Tiscali's infrastructure included webpages that were still available via the internet in 2015, with access to an underlying database known as "Tiscali Master". ^[1]

In 2014, TalkTalk customer data held in a web-based portal for overseas contractors was improperly accessed by staff at Indian supplier Wipro. The exposed information – including names, addresses, phone numbers, and account numbers for up to 21,000 customers – was later linked to large-scale scam-calling activity, ^[9] and TalkTalk was later fined £100,000 for failing to implement adequate security controls around the portal. ^[10]

Timeline

• Early October – users with the aliases "Fearful" and "Glubz" (now known to be Elliott Gunton) used the SQLmap programme, to probe TalkTalk webpages and identify vulnerabilities. ^[11]
• 15–21 October – the ISO gives this period as the one in which an attacker used an SQL injection attack to download a database holding personal data, including the name, address, date of birth, telephone number, email address, and financial information of 156,959 customers. ^[1]
• 18 October – "Glubz" posts the vulnerability in the videos section of TalkTalk's user forums.
• 18–21 October – Matthew Hanley improperly accesses the TalkTalk database and extracts stolen data. ^[12]
• 21 October – TalkTalk detects a cyber-attack on its systems in the morning, declares a major incident shortly after lunch, takes its consumer-facing online systems offline, and informs law enforcement agencies after receiving a ransom demand by email. ^{[13] [14]}
• 22 October – the company concludes there is a significant risk that a substantial amount of customer data has been stolen, accepts that it will take several days to establish the full scope of the breach, and notifies all customers about the incident while providing advice on protecting themselves from fraud and scams. ^[13] CEO Dido Harding appeared on BBC News to address customers, saying:

The attack happened yesterday. We brought down all our websites yesterday lunchtime and have spent the last 24 hours investigating with the metropolitan police and various security advisors to understand the scale of the attack and what had actually happened. And we've taken the decisions this evening, although it's too early to know what has been attacked and what data has been stolen, that we wanted to take the precaution of contacting all of our customers as fast as possible. ^[15]

• 22 October – TalkTalk reports a potential data breach to the ICO, which opens a preliminary investigation and requests further information. TalkTalk begins notifying customers and the wider public about the attack. ^{[13] [14]}
• 23 October – the ICO issues a public statement confirming it has been notified of the incident and will liaise with the police. ^[14]
• 23 October – TalkTalk confirms it has received a ransom demand. ^[15] The ransom demand was for £80,000 in Bitcoin, and included a copy of some of TalkTalk's internal databases for verification. ^[16]
• 23 October – by this date, multiple hacker groups had claimed responsibility for the attack. ^[16]
• 23 October – Matthew Hanley supplied Connor Allsopp with a file containing the personal and financial details of about 8,000 TalkTalk customers, Allsopp then passes the file to an online user called "Reign", knowing it would be used for fraud. ^[12]
• 26 October – the data breach is the subject of an Urgent Question in the House of Commons; the Culture, Media and Sport Committee states that it will monitor developments closely. ^[14]
• 26 October – a 15-year-old boy, later revealed to be Aaron Sterritt after a judge lifted the anonmitiy order, is arrested in connection with the attack. ^[17]
• 29 October – a 16-year-old from West London is arrested in connection with the breach. ^[18]
• 31 October – a 20-year-old from Staffordshire is arrested in connection with the breach. ^[18]
• 3 November – the Culture, Media and Sport Committee formally launches an inquiry into the TalkTalk breach. ^[14]
• 3 November – a 16-year-old from Norwich is arrested in connection with the breach, the third arrest in connection with the case. ^[18]
• Late October to early November 2015 – TalkTalk keeps its online systems offline for around three weeks while additional security measures are implemented, and undertakes forensic analysis that takes roughly two weeks to confirm exactly what data was accessed. ^[13]
• 24 November – Daniel Kelley is arrested following analysis of IP records. ^[19]

Attack

The attack exploited SQL injection vulnerabilities in three of TalkTalk's pages. ^[1] The vulnerabilities were found using a tool called SQLMap. ^[1] after a distributed denial of service attack. ^{[13] [20]}

The ICO found that the attack exploited three legacy webpages inherited from TalkTalk's 2009 acquisition of Tiscali, that the underlying database software was outdated and had not been patched despite a fix having been available for several years, and that earlier SQL injection attacks in July and September 2015 had not prompted remedial action because the pages were not being adequately monitored. ^[1] The pages in question exposed a database called 'Tiscali Master'. ^[11]

Perpetrators

It has been suggested that multiple different perpetrators attacked TalkTalk separately over a short period after details of the attack were shared in forums and group chats. ^[21] Five people in total were arrested in connection with the breach. ^[21] According to BAE Systems, who were engaged by TalkTalk to investigate the attack, there might have been up to 10 attackers in total. ^[11]

• Aaron Sterritt was 15 when he was arrested. ^[22] He was ordered to complete 50 hours' community service and write a letter of apology to the communications firm along with 12 months supervision as part of the youth conference plan.
• Elliott Gunton was 16 when he was arrested for his part in the attack. ^[23] He pled guilty to seven charges. ^[24]
• Following analysis of IP records, ^[19] Daniel Kelley was arrested on 24 November 2015 while on bail from other hacking offenses. ^[19] He was charged with blackmail, computer hacking, and fraud in connection with the TalkTalk data breach and various other attacks. ^{[25] [26]} He pleaded guilty to 11 of the offences later in 2016. He was sentenced to four years' jail time in 2019. ^[27] In a 2023 interview, Kelley claims not to have been directly told how he was caught but believes, "I basically hacked two websites at once: website A and website B. Website A was a really small website, and website B was a really big website. I tried to blackmail the website owners. For one of the websites, I only used VPN for this, and for the other, I only used Tor. But I provided the same cryptocurrency wallet in both cases, which allowed the authorities to link the incidents." ^[28]
• In November 2018, Matthew Hanley and Connor Allsopp were found guilty of cybercrime charges in connection with the data breach. Hanley was jailed for 12 months and Allsopp for eight. ^{[29] [30]}

Damages

On 6 November, TalkTalk stated that 156,959 customer accounts were involved, from which 15,656 sort codes and bank account numbers had been taken. Partial data on 28,000 credit and debit cards was also stolen, but that data was insufficient for carrying out transactions on those cards. ^[31] TalkTalk stated that the lost data had not been encrypted, and that they had not been legally required to encrypt it. ^{[32] [33]}

Aftermath

The direct and indirect costs of the attack for TalkTalk have been estimated at £77 million. ^[27] On 5 October 2016, TalkTalk was fined £400,000 by the Information Commissioner's Office for its negligence in securing client data. ^{[34] [35]} TalkTalk lost 98,000 broadband customers in the first half of the year, but later 69,000 new customers signed up. ^[36]

In 2020 a group of current and former customers issued proceedings against TalkTalk in the High Court, seeking compensation for the 2014 and 2015 incidents under the Data Protection Act 1998 and in the tort of misuse of private information. In May 2022 the misuse of private information claim was struck out, holding that alleged security failings which enabled third-party criminal access did not amount to TalkTalk's own “misuse” of private information, but other proceedings went forward. ^[37]

References

1. "Monetary Penalty Notice: Talk Talk Telecom Group PLC" (PDF). Information Commissioner's Office. 5 October 2016.
2. "Carphone Warehouse plans to split". BBC News. 22 April 2009. Archived from the original on 25 April 2009. Retrieved 11 January 2015.
3. "Carphone to purchase Tiscali UK". BBC News. 8 May 2009. Archived from the original on 11 May 2009. Retrieved 11 January 2015.
4. Felix, Bate; Tutt, Nigel (30 June 2009). "Carphone wins EU approval for Tiscali UK buy". Reuters. Archived from the original on 10 January 2015. Retrieved 11 January 2015.
5. "Carphone Warehouse CPW Completion of Tiscali Acquisition". Bloomberg. Archived from the original on 24 September 2015. Retrieved 11 January 2015.
6. Clark, Nick (28 November 2009). "Carphone to unveil TalkTalk chief". The Independent. Archived from the original on 10 January 2015. Retrieved 11 January 2015.
7. "Carphone raises profit forecast". BBC News. 27 November 2009. Retrieved 11 January 2015.
8. Carphone announces death of Tiscali UK Archived 11 January 2010 at the Wayback Machine David Meyer. ZDNet UK. 7 January 2010
9. Association, Press (10 August 2017). "TalkTalk fined £100,000 for not protecting customers' personal data". The Guardian. ISSN   0261-3077 . Retrieved 11 November 2025.
10. Association, Press (10 August 2017). "TalkTalk fined £100,000 for not protecting customers' personal data". The Guardian. ISSN   0261-3077 . Retrieved 11 November 2025.
11. Porcedda, Maria Grazia; Wall, David S. (June 2019). "Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack". 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW): 443–452. doi:10.1109/EuroSPW.2019.00056.
12. R v Connor Douglas Allsopp, [2019 EWCA Crim 95](England and Wales Court of Appeal (Criminal Division)30 January 2019).
13. Oral evidence: Cyber security: Protection of personal data online (Report). HC. London: House of Commons Culture, Media and Sport Committee. 15 December 2015.
14. "TalkTalk cyber attack – how the ICO's investigation unfolded". Information Commissioner's Office. Information Commissioner's Office. Retrieved 11 November 2025.
15. Boakye, Derrick (26 May 2023). "How TalkTalk did the walk-walk: strategic reputational repair in a cyber-attack". Information Technology & People. 37 (4). doi:10.1108/ITP-08-2022-0589.
16. "TalkTalk Hackers Demanded £80K in Bitcoin – Krebs on Security". 24 October 2015. Retrieved 11 November 2025.
17. "Boy, 15, arrested after TalkTalk hack". BBC News. Retrieved 12 November 2025.
18. White, Geoff (5 November 2015). "TalkTalk hack – new details emerge". Channel 4 News. Retrieved 11 November 2025.
19. "Daniel Kelley: The teen behind the cybercrime screen". BBC News. 10 June 2019. Retrieved 12 November 2025.
20. Khomami, Nadia (23 October 2015). "TalkTalk hacking crisis deepens as more details emerge". The Guardian. ISSN   0261-3077 . Retrieved 11 November 2025.
21. "Learning from major cyber security incidents". Open Learning. Retrieved 11 November 2025.
22. "Microsoft hacker avoids jail over multiple cyber-attacks". BBC News. 18 June 2024. Retrieved 12 November 2025.
23. "TalkTalk hacker Elliott Gunton: Parents acted out of 'misguided loyalty'". BBC . 2 October 2019. Retrieved 12 November 2025.
24. "Boy, 17, admits TalkTalk hacking offences". BBC News. 15 November 2016. Retrieved 11 November 2025.
25. "Teenager appears in court over TalkTalk cyber-attack". The Guardian. Press Association. 27 September 2016. ISSN   0261-3077. Archived from the original on 14 June 2023. Retrieved 13 July 2023.
26. "TalkTalk hacker Daniel Kelley's blackmail charge dropped". 28 January 2019. Retrieved 6 March 2025.
27. "TalkTalk hacker Daniel Kelley sentenced to four years". BBC News. 10 June 2019. Archived from the original on 1 November 2022. Retrieved 13 July 2023.
28. Townsend, Kevin (18 July 2023). "Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat". SecurityWeek. Retrieved 11 November 2025.
29. "TalkTalk hack attack: Friends jailed for cyber-crimes". BBC News. 19 November 2018. Archived from the original on 5 February 2023. Retrieved 13 July 2023.
30. "Two men jailed for involvement in TalkTalk hacking". The Guardian. Press Association. 19 November 2018. ISSN   0261-3077. Archived from the original on 26 November 2022. Retrieved 13 July 2023.
31. "TalkTalk hack 'affected 157,000 customers'". BBC News. 6 November 2015. Retrieved 1 August 2023.
32. Fiveash, Kelly. "TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief". www.theregister.com. Retrieved 1 August 2023.
33. "TalkTalk cyber attack made worse by loose talk". Financial Times. 27 October 2015. Retrieved 6 March 2025.
34. "TalkTalk's Cyber Security Negligence Gets Hit With £400,000 ICO Fine". 5 October 2016. Archived from the original on 8 December 2016.
35. "TalkTalk fined £400,000 over cyber theft". BBC News. 5 October 2016. Archived from the original on 22 November 2016.
36. "Boy, 17, admits TalkTalk hacking offences". BBC News. 15 November 2016. Retrieved 6 March 2025.
37. Smith & Others v TalkTalk Telecom Group plc,[2022] EWHC 1311 (QB)(High Court of Justice (Queen's Bench Division, Media and Communications List)27 May 2022).