Richard Neale, former director at Esselar, a company contracted by Aviva to run its security network, has been jailed for 18 months for hacking 900 phones belonging to Aviva insurance employees. In Guildford Crown Court on Monday he admitted committing four cyber-crimes against his former company under the Computer Misuse Act 1990, described by the prosecution as acts of revenge against the company he helped set up.
When Esselar was due to present a security demonstration to its client Aviva, Neale hacked into 900 mobiles belonging to the insurance company via Esselar’s security software then wiped their data. Prosecutors said this caused Esselar to miss out on an £80,000-per-year contract, with contracts and future business deals lost valued at £528,000. The company submitted a damages claim for £70,000 and described the future losses as ‘incalculable’, issuing a statement saying: “Our brand was damaged to the point we felt we needed to rebrand.” The company did rebranded itself as Mobliciti.
Neale admitted to hacking into the Aviva system in May 2014. He had created a fake identity in his former company’s system and then used it to reject expenses claims from his former colleagues. Separately he hacked into Esselar’s Twitter account and replaced its logo with a bleeding heart – presumably signifying vulnerability to Heartbleed, demonstrating that security had been breached.
The Daily Mail reported prosecutor, Fiona Alexander, saying: “The aim of the attack was to ridicule Esselar. There was a degree of sophisticated planning.The offending persisted over a period of five months. The defendant was motivated by revenge – a serious aggravating feature. There was a grave breach of trust. It wasn’t intended to target just Esselar but also MobileIron and Aviva.” However, the Mail report also described how Neale’s lawyer, Kevin Barry, claimed the relationship between Esselar and Aviva had been “on a knife edge” before Neale’s actions and that “no data was actually lost or permanently compromised”.
Judge, Neil Stewart, described the attack as … foolish and childish behaviour by him,” adding: “He would almost inevitably have this traced back to him. It is clear no data was actually lost or permanently compromised as a result of these offences. No personal information, such as that belonging to Aviva employees or customers, was compromised, lost or put in the public sphere, as is often the way with hacking offences. He is the author of his own misfortune. … ruining his career.”
Aviva support staff were reportedly able to change passwords, recover the data and rectify the problems within 24 hours.