TalkTalk Hacker Guilty of Aiding SIM Swaps; UK Policing of Cybercrime Proven Inept

19 year old Elliot Gunton has been sentenced to 20 months in prison for stealing personal data and selling it to criminals so they can take control of the phone accounts of their victims. The UK police also seized hundreds of thousands of pounds of Bitcoin that had been paid to Gunton in exchange for his services as a hacker. Gunton first came to the attention of law enforcement for his role in the infamous 2015 hack of TalkTalk, which caused distress for thousands of customers and prompted a sharp fall in shares for the UK telco. However, Gunton’s latest cybercrimes were only discovered because the police were searching his hard drive for sexual images unrelated to his history as a hacker.

In 2015 Gunton was responsible for identifying and publicizing a vulnerability which resulted in a massive data breach at TalkTalk, wiping billions from the company’s valuation and USD50mn from its annual profits. However, Britain’s complacent approach to cybercrime meant Gunton was only given a rehabilitation order for that crime. It seems Gunton’s rehabilitation was not fully successful!

Commenting on Gunton’s new prison sentence, the police congratulated themselves for their sophisticated approach to cybercrime.

This was a complex investigation which relied on the expertise of officers and staff from the Norfolk and Suffolk Cybercrime Unit. This emerging type of criminality requires police investigators to be at the forefront of technological advancements in order to effectively combat the ever-growing paradigm of cybercrime.

On the contrary, Britain’s police are so backward that some of their evidence came from Twitter, where Gunton bragged about his secret wealth.

It beggars belief that the police tries to stop crime by visiting the houses of offenders like Gunton in order to inspect their hard drives. But that is exactly how the police caught Gunton, who was visited four times between August 2016 and December 2017. The police visits were not even focused on hacking; Gunton is also a potential sex offender and had been given a Sexual Harm Prevention Order (SHPO) because of images previously found on his computer. But even the policing of the SHPO was incompetent, with police admitting to the Eastern Daily Press that Gunton could have easily evaded detection.

“Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender,” said DC Hollis. “It would be impossible for us to know if he has deleted any history.”

It was during one of the visits to check for sexual images that the police noticed Gunton spent a lot of his time ‘rehabilitating’ himself on hacker forums. Instead of devoting a tiny proportion of his cryptocurrency hoard to the purchase of a second computer unknown to the police, Gunton installed software on his primary computer that was designed to clean incriminating evidence from his hard drive. Just having this software was a violation of Gunton’s SHPO, prompting the police to examine his computer at greater length, and leading them to piece together messages between Gunton and the criminals he worked for.

The inadequate sentencing and lax monitoring of Gunton comes alongside recent revelations that the UK’s national reporting centre for fraud and cybercrime, also known as Action Fraud, has been insulting the victims of crime before filing their reports in a virtual rubbish bin. The Sunday Times went undercover to learn that…

…the overwhelming majority of [the reported crimes] are dismissed, either by low-wage employees at an outsourced call centre or a computer algorithm.

The unspoken truth about UK policing priorities is that hackers and fraudsters are welcome to steal thousands or even millions via modern technology and banking services, so long as none of their crimes leads to trouble on the streets. The police exhibit neither an aptitude nor an interest in catching high-tech fraudsters, especially if a big company can take the blame or otherwise be made to compensate victims. But this leads to dangerously short-term thinking. The TalkTalk breach also prompted many other crimes, as scammers sold and reused the stolen personal information.

Whilst TalkTalk deserves most blame for its lax security, we should not be treating hackers like misguided youths. Criminals like Gunton are too lazy and greedy to do an honest day’s work, but they invest long hours in learning about vulnerabilities, developing their skills and searching for opportunities. Meanwhile, the police kid themselves about the adequacy of the work they do in response. It would be fairer to say that cybercrime gets little attention in the UK because the police, authorities and politicians would like to pretend it does not happen.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.