Business

Policy

Aviva phone hacker jailed for 18 months over revenge attack

Esselar co-founder pwned insurance biz after spat with former colleagues

By John Leyden

7 SHARE

A senior techie has been jailed for 18 month after he was convicted of hacking into hundreds of phones at insurance firm Aviva, an act of sabotage designed to extract revenge against a firm that supplied security services to the insurance giant.

Richard Neale, 40, pleaded guilty to a hack against Aviva designed to cause maximum embarrassment security for Esselar.

Neale co-founded Esselar in 2009 and was a director of the firm prior to leaving in 2013, following a dispute with his former colleagues over an insurance payment. He left on bad terms and subsequently sold his shares.

Neale hacked into the Aviva system in May 2014 on the night that Esselar was giving a security demonstration, wiping data from around 900 phones, the Daily Mail reported.

Aviva unsurprisingly ditched Esselar in the wake of the debacle, costing it an £80,000-per-year contract in the process, the BBC added.

As El Reg reported soon after the event, a hacker compromised the MobileIron admin server and posted messages to Aviva's devices implicating the "hart bled" (sic) bug in the attack.

It now looks like stolen and legitimate but mistakenly unrevoked credentials were the main agents in the attack.

The taunts posted to Aviva devices after Neale's hack

Neale also used a fake identity he'd created within Esselar's system to reject former colleagues' expense claims. In addition, he hijacked the firm's Twitter account, replacing its logo with a bleeding heart – a calling card designed to signal that the account had been pwned.

The IT industry was reeling with the Heartbleed vulnerability at the same time, so the choice of logo was designed to alarm.

The 40 year old had pleaded guilty to four counts of "unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer" at an earlier hearing. Guildford Crown Court heard that Neale hacked into his former company's systems over a five-month period.

Sentencing, Judge Neil Stewart said: "You parted on terms and in circumstances that left you nursing resentment. The prosecution describe these offences as revenge... it was plainly borne of your resentment."

Esselar rebranded as Mobliciti back in March. ®

Sign up to our NewsletterGet IT in your inbox daily

7 Comments

More from The Register

Bogus Mobile Device Management system used to hack iPhones in India

Baker's dozen pwned by tricksy attack

Google releases lite PC-snooper, 'cos full mobile management is hard

‘Endpoint Verification’ extension reports basics of devices’ security posture

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

VMware’s remote management agent allows remote execution

AirWatch Cloud Messaging to lose remote file-wrangling functions

Tech giants warn IoT vendors to get real about security

Broadband Internet Technical Advisory Group waves baseball bat at slapdash Thing-makers

Microsoft's mobile device management meltdown

InTune? Doesn't sound like it to us

HPE and ABB, sitting in a tree, doing lucrative industrial IoT

What first attracted you to the industrial Internet of revenue-generating things?

Ex-Nokia IoT bods Cumulocity join hands with Teleena

Partnership will plug LoRa and general IoTness

Telepresence robot 'hackable' – security researchers

Firm's boss says customer data was not exposed

Samsung ties Thread into two new IoT Artik chips

It's goodbye Artik 1 and hello Artik 7