A 17-year-old boy has admitted seven hacking offences in connection with the TalkTalk data breach in Norwich Youth Court today.
The teenager, who cannot be named for legal reasons, found a vulnerability in the website when using a “hacking tool” then posted details of this vulnerability online, Norwich Youth Court heard on Tuesday.
While he did not exploit the information for gain, the TalkTalk website was targeted more than 14,000 times after the boy exposed the vulnerability, said Laura Tams, prosecuting.
The teenager was arrested in Norwich on November 3 last year and charged with breaching the Computer Misuse Act 1990 following an investigation by the Metropolitan Police’s Cyber Crime Unit.
He admitted the seven charges when he appeared at Norwich Youth Court on Tuesday. Sentencing was adjourned to December 13.
Ms Tams said police raided the teenager’s home after he was identified as having been involved in the TalkTalk breach.
An iPhone, a USB stick and an Apple Mac Air laptop were seized and analysed, and showed the teenager had been involved in attacks on other websites including Manchester University, Cambridge University and that of Merit Badges, a small family company that supplies martial arts badges.
Ms Tams said the teenager used a “hacking tool” called SQL map to identify vulnerabilities on websites.
It was “legitimate software” which gives a legal disclaimer warning to users that it must only be used to identify vulnerabilities on websites with mutual consent,” she said.
In a Skype conversation on the day of the breach, the teenager told a friend he had “done enough to go to prison”.
Chris Brown, mitigating, said the teenager did not discover the vulnerability and it had been discussed by other people before the breach.
He said hundreds of attempts were made by others, but the teenager’s attempt was successful.
He said of the boy’s actions: “It’s inexplicable to the rest of us – why get in so much trouble for what’s bravado, to prove you can, to prove you’ve got the skills.”
He added the teenager’s role was limited to “signposting”.
The teenager, who admitted he knew his actions were illegal, told magistrates: “I didn’t really think of the consequences at the time.
“I was just showing off to my mates.”
Chairman of the bench Jean Bonnick said magistrates were minded to spare the teenager jail, but that further reports were needed first.
Telecoms giant TalkTalk fell victim to what it described as a ”significant and sustained” attack on its website on October 21, 2015.
The attack resulted in the personal data of nearly 160,000 people being accessed and the ICO said that in 15,656 cases, bank account details and sort codes had been accessed.
In May, the firm said the fallout from the cyber attack had cost it £42 million.
A second man has been charged in a separate case over the alleged hack and data theft.
Daniel Kelley, 19, of Heol Dinbych in Llanelli, South Wales, faces 14 charges – eight of blackmail, four computer hacking offences and two fraud offences and is due to appear at the Old Bailey on Friday for a plea and trial preparation hearing.
It is alleged that he hacked TalkTalk to get customer data and demanded a payment worth around £216,000 in the online currency Bitcoins.
Prosecutors also claim that he carried out similar attacks on cigarette lighter manufacturer Zippo and an educational business in Queensland, Australia in 2015.