Kelley - described by prosecutors as a "prolific, skilled and cynical cyber-criminal” - will serve 4-year term in a young offenders' institution, as he was 18 at the time of his arrest. He originally pleaded guilty to 11 computer crime charges in 2016, and has waited over two and a half years on conditional bail to be sentenced.
Data purloined by Kelley included customer names and addresses, dates of birth, payment card details, phone numbers, and email addresses. In total, roughly 157,000 customers were affected by the hack, which cost the company £77 million to rectify.
Repeat Offender
TalkTalk is just one of many organisations targeted by Kelley - others included Zippo Lighters, RC Hobbies, ISP JISC, and TAFE Queensland, and Rogers Communications in Canada.
Kelley would "bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety”, prosecutors said. He was eventually caught when authorities traced an IP address used during an attack back to his home.
On occasion, he teamed up with a group of hackers known as Team Hans, but by and large he operated independently. In a particularly egregious example of a team effort hack, he accessed company contracts, employee records and other sensitive data at Rogers Communications, then contacted an employee by phone and email, making reference to his son by name and claiming he was looking at photographs of him. The hack cost the company £400,000 - £580,000.
The very same day, he contacted the company via another guise, and offered to help them up their ‘opsec’ capabilities.
"I am not trying to be rude but really, your security is not very good,” he wrote, offering to show the firm every vulnerability he could find for a fee of 5.2 Bitcoins (£861). The company agreed to the terms and paid, only for Kelley to refuse to cough up and demand more money due to his “leverage in this situation”, demanding 10.5 Bitcoins (£1,706) instead, and threatening to “annihilate [their]business in days” for not offering up the goods. The company paid once again, but Kelley upped the ante further to 25 Bitcoins (£4,206), so FTR contacted police and cybercrime detectives.
His demands continued however, becoming increasingly abusive, until the vice-president received an email threatening his one-year-old son with a picture of him attached.
"I am sure [son's name] wouldn't be able to withstand mental abuse, nor your lovely partner...How fun would it be to find your son's background ruined online before he had even hit 10? Anything is possible with a little editing and modification," he wrote.
His lawyers claimed he’d taken up hacking after failing to secure the requisite GCSE grades to take a level three BTEC college computer course he wished to enrol in.