Skip to content
CBCyber Breaches
Search
Vulnerability exploitResolved

TalkTalk customer data breach

An SQL injection attack — committed primarily by four British teenagers — exposed personal data on roughly 157,000 TalkTalk customers including bank account details. Triggered a record £400,000 UK ICO fine.

Victim
TalkTalk Telecom Group
Loss
$90.0M
records
157.0K
users
157.0K
SectorTelecom
CountryUnited Kingdom
Threat actorDaniel Kelley, Matthew Hanley, Connor Allsopp, Aaron Sterritt (UK teenagers, convicted)

In October 2015, TalkTalk — a UK telecoms operator with approximately 4 million customers — disclosed a "significant and sustained cyber-attack" on its website. Initial public statements suggested the attack might affect all 4 million customers. Final scope was approximately 157,000 customers with personal data exposed and 15,656 with bank account details exposed. The attack triggered the largest UK ICO penalty issued at the time and was traced primarily to four British teenagers.

The case became the canonical British telecom-breach reference and the public-policy motivator for the UK's 2018 expansion of breach-notification rules.

What happened

The attack was technically unsophisticated. TalkTalk's customer-portal infrastructure had basic SQL injection vulnerabilities in a legacy web application that had been inherited as part of TalkTalk's acquisition history. The attackers, primarily UK-based teenagers, identified the vulnerability via automated scanning tools and exploited it manually over several days.

The intrusion was masked by a parallel distributed denial-of-service attack that consumed TalkTalk's security team's attention. While responding to the DDoS, TalkTalk did not initially notice the SQL injection probing in the same logs.

The exfiltrated data:

  • Names, addresses, dates of birth, email addresses, phone numbers for approximately 156,959 customers.
  • Bank account numbers and sort codes for approximately 15,656 customers.
  • Partial credit card numbers (truncated) for some additional records.

The teenagers

The Metropolitan Police arrested the first suspect — a 15-year-old in Northern Ireland — within five days of TalkTalk's public disclosure. Subsequent arrests over the following weeks identified:

  • Matthew Hanley (then 20, Tamworth, Staffordshire) — convicted October 2017 of computer misuse, sentenced to 12 months.
  • Connor Allsopp (then 19, Tamworth, Staffordshire) — convicted October 2017, sentenced to 8 months.
  • Aaron Sterritt (then 15, County Antrim, Northern Ireland) — sentenced May 2018 to a 12-month community order due to youth.
  • Daniel Kelley (then 16, Llanelli, Wales) — separately prosecuted for blackmail and a series of additional offences; sentenced to 4 years' detention in 2019.

The case became a high-profile public reference for young-offender cybercrime. The teenagers had used freely-available tools — automated SQL injection scanners — and exploited a fundamental vulnerability that should have been routinely scanned and patched. The disconnect between trivial technical capability and catastrophic business impact became the public-policy lesson.

ICO penalty

In October 2016, the UK Information Commissioner's Office issued a £400,000 fine — the largest ICO penalty at the time. The ICO's findings:

  • TalkTalk had failed to implement basic security measures against SQL injection — an attack vector publicly known for over a decade at the time.
  • TalkTalk had not been aware that the vulnerable application existed on its perimeter; it was inherited from a Tiscali acquisition years earlier and had not been included in TalkTalk's standard security audits.
  • TalkTalk's breach scope estimates during public disclosure had been confused and contradictory — initially overstated, then significantly revised. The ICO cited this as evidence of inadequate incident-response preparedness.

The £400,000 penalty was the statutory maximum available to the ICO under pre-GDPR law. Under GDPR (which took effect six months later), the equivalent breach could have triggered a penalty in the tens of millions of pounds as a percentage of global turnover.

Impact

  • 156,959 customers with personal data exposed; 15,656 with bank account details exposed.
  • £60M direct cost to TalkTalk including customer credit, remediation, and brand impact.
  • Approximately 101,000 customers left TalkTalk in the year following the breach — about 1 in 40 of TalkTalk's total customer base.
  • CEO Dido Harding weathered the immediate incident but eventually departed; her public communications were widely criticised at the time for confusion about scope.

Why it matters

TalkTalk 2015 is the canonical case for legacy-application risk in acquired infrastructure. It established:

  • That SQL injection — a well-understood vulnerability with decades of mitigation guidance — remains operationally exploitable at large enterprises, particularly in legacy applications inherited through acquisitions.
  • That automated scanning by unsophisticated attackers is operationally sufficient against poorly-defended public-facing infrastructure. The TalkTalk teenagers were not state actors and not organised criminals.
  • That breach-scope communications during the first 48 hours are reputationally critical. TalkTalk's initial "all 4 million customers" framing — later revised to 157,000 — became a textbook negative example.
  • That pre-GDPR enforcement capacity was inadequate. The £400,000 maximum fine was widely cited in the UK GDPR transposition debate as evidence that the ICO needed materially more enforcement power. The 2018 GDPR-aligned UK Data Protection Act dramatically expanded ICO penalty authority — TalkTalk being a key motivating case.

Financial impact

Reported costs in USD

Total reported loss
90.0M
USD · $90,000,000
Ransom demanded
$100.0K
Ransom paid
Refused
  • Business loss$60.0M
  • Remediation$25.0M
  • Fines & settlements$500.0K

Timeline

  1. Distributed denial-of-service traffic against TalkTalk's customer-portal infrastructure provides cover for concurrent SQL injection probing.

  2. TalkTalk publicly discloses 'a significant and sustained cyber-attack' on its website. Initial scope is uncertain — TalkTalk initially suggests 'all four million customers' may be affected before later revising downward.

  3. TalkTalk receives a £80,000 bitcoin ransom demand. The demand is not paid; TalkTalk reports it to law enforcement.

  4. Metropolitan Police arrest a 15-year-old in Northern Ireland; subsequent arrests in following weeks expand to four British teenagers aged 15–20.

  5. TalkTalk confirms revised scope: 156,959 customers had personal data accessed; 15,656 had bank account details exposed.

  6. UK Information Commissioner fines TalkTalk £400,000 — the largest ICO penalty issued at the time. ICO finds basic SQL injection vulnerability and inadequate access controls.

  7. Matthew Hanley (22) and Connor Allsopp (21) sentenced to 12 months and 8 months respectively. Daniel Kelley (22) was later sentenced to 4 years in 2019 for blackmail and computer misuse offences.

  8. Aaron Sterritt, a Northern Irish teenager who was 15 at the time of the attack, sentenced to a 12-month community order.

Sources

  1. ico.org.ukhttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/
  2. bbc.comhttps://www.bbc.com/news/business-34611857
  3. theguardian.comhttps://www.theguardian.com/business/2017/oct/04/two-men-jailed-talktalk-cyber-attack

Related incidents