Former IT director jailed for hacking into 900 Aviva mobile devices

Richard Neale sentenced to 18 months in prison after 'revenge hack'

A former director of a network security company has been sentenced to 18 months in prison for hacking into almost 1,000 mobile devices owned by insurance company Aviva.

Richard Neale, 40, had been IT director of Esselar, a company he founded alongside Shane Taylor and Simon Rogan. However, Neale had a disagreement with his colleagues in November 2013 and subsequently left the organisation.

But rather than just walk away from Esselar, Neale decided to take revenge on his former co-workers in a hack that cost it £500,000 of future business. Neale admitted that he hacked into the Aviva system in May 2014, on the same night Esselar was giving a security demonstration, and wiped data from 900 phones.

The act caused Aviva to end its £80,000-a-year contract with Esselar and, according to prosecutors, caused the company to lose £528,000 in other business as a result of the breach. Neale's actions caused so much damage to the Esselar brand that the company has subsequently rebranded itself "Mobliciti".

Neale set up a fake login under the name of Shane Taylor and used it to reject expenses claims of employees. He also hacked into Esselar's Twitter account.

During the sentencing at Guildford Crown Court, Judge Neil Stewart said that Neale's actions had "damaged confidence and reputations in a way that can be far-reaching and serious".

Prosecutor Fiona Alexander told the court: "The aim of the attack was to ridicule Esselar. There was a degree of sophisticated planning.

"The offending persisted over a period of five months. The defendant was motivated by revenge - a serious aggravating feature. There was a grave breach of trust.

"It wasn't intended to target just Esselar but also... Aviva. Over 900 devices were wiped by the defendant's actions," Alexander added.

She told the court that Esselar's "tangible" losses amounted to more than £500,000, but the full extent of loss to the company was "simply incalculable".

In a statement read to the court by Alexander, the company stated: "Yes, we survived, but there were times we thought we may not. Our brand was damaged to the point we felt we needed to rebrand".

Sentencing Neale to 18 months in prison, Judge Stewart said: "You parted on terms and in circumstances that left you nursing resentment.

"The prosecution describes these offences as revenge; you use the expression 'causing mischief'. What form of words you use is beside the point: it was plainly borne of your resentment."

Neale pleaded guilty to four acts of cyber crime under the Computer Misuse Act 1990 during an earlier hearing.

Neale's conviction comes as 'Spam king' Sanford Wallace pleaded guilty to sending 27 million unsolicited messages via Facebook in a five-month campaign after gaining access to some 500,000 accounts. Wallace faces three years in jail.

Computing's Enterprise Security and Risk Management Summit takes place later this year and is free to attend for qualified end users. Register here.