As one of Britain’s most notorious cybercriminals, Daniel Kelley played a leading role in the TalkTalk data breach in 2015. The hack was catastrophic for the telecommunications company, resulting in financial loss of 77 million pounds sterling (90.7 million euros) and the theft of the data of more than 150,000 customers.
Kelley will then spend four years in prison for hacking TalkTalk, his Welsh university and several other organisations.
But since his release from prison, he has wanted to use the self-taught computer skills that helped him launch devastating cyberattacks to build a real career in cybersecurity.
“I want to get into the industry to earn a living and be able to live my life doing something that I enjoy on a daily basis and that is a passion,” he told Euronews Next.
“It always has been, and always will be, whether I’m actually in the industry or not.”
Now a free man, Kelley has sought employment, shared his cybersecurity knowledge with a growing audience of social media followers, and worked with companies and organizations to improve their cybersecurity posture.
Many of his LinkedIn posts get hundreds of likes, and as a result Kelley has been inundated with job offers from organizations eager to tap into his industry knowledge. But due to being subject to a Serious Crime Prevention Order (SCPO), Kelley is now limited in the industry activities and opportunities he can pursue.
SCPOs are court-ordered for a variety of crimes — including drug trafficking, human trafficking, slavery, fraud, and organized crime, among others — and are usually issued if there are “reasons reasonable to believe that an order would protect the public by preventing, restricting or disrupting the person’s involvement in a serious crime in England and Wales,” according to the Crown Prosecution Service.
In other words, the order provides that there is a “real risk” that the person will again commit offenses “which the public [would] need protection”.
Many cybersecurity job offers
Kelley describes the SCPO as a “prison in a different form”, explaining that it cannot “perform even the most basic and mundane of tasks”.
“Many employers approach me with the idea that I might join their red team or advise on their web application security due to my technical background and success in the bug bounty space. Unfortunately, this is not possible due to the restrictions that I am under,” he said.
“I’m constantly paranoid because I have to make sure I don’t accidentally break any of the conditions.”
The order, he says, not only hinders the former black hat’s chances of landing his dream job in cybersecurity, but affects other aspects of his daily life.
He remembers walking into an electrical store after his release from prison and struggling to buy a phone contract. At the store, an employee asked Kelley to provide a digital signature on a tablet PC.
However, he had to ask for a pen and paper because using a device would have breached his post-prison restrictions.
“Touching this device could have resulted in a 5 year prison sentence, which is longer than my original sentence. I had to wait for them to print out what they wanted me to sign, and it ended in this way,” Kelley said.
Heavy prison sentence for ordering a burger
These restrictions mean that Kelley must disclose the Media Access Control (MAC) address and model information of its devices to the police.
It also needs an authorized third party to install operating systems on a device. And technically, Kelley even faces a hefty prison sentence if he tries to walk into a McDonald’s drive-thru and buy a burger, because he’d have to use a radio to place the order.
“All devices, including two-way radios, must be registered with an agency called LOMU pursuant to a provision of my SCPO,” Kelley said.
“Obviously you use a radio to communicate with someone when you want to place an order. I could be sent back to jail for using one of these unless I ask the store staff l MAC address, make, and model, then register it with the police. Sounds a little ridiculous, but that’s actually what it would mean.”
It’s just one of many everyday things that have become inaccessible to Kelley.
“There are a lot of gray areas that basically ruin my way of life,” he added.
“You have to be in the situation to understand it because it’s hard to understand otherwise. I realize that I have no reason to complain, but nothing in this order makes sense, especially considering that I have a history of not breaking the law for over seven years.
“The first piece of evidence against me was when I was about 12 or 13; I’m now 25, and this order won’t be lifted until I’m 29. So in essence, you could say that my sentence was more than a decade”.
Future in limbo
Until those restrictions are lifted in four years, Kelley’s future as a cybersecurity professional is in limbo. He considered taking a formal course in cybersecurity, but he would still face the challenge of accepting a job offer after graduating.
“A lot of people give me various suggestions, like formal education, but the issue isn’t my technical training or getting a job, it’s what I can and can’t do,” said- he told Euronews Next.
“The question remains relevant and useful for another four years. You cannot read much; at some point you have to do things in a practical context to ensure that your ability remains sharp, otherwise you will become useless. The cybersecurity is an ever-evolving industry that requires you to be proactive in your learning”.
In prison, Kelley had huge ambitions for what his life would look like when he was finally released. He wanted to build a business that would help organizations better understand and combat cyber risks.
“Essentially, it would be an external attack surface management platform that would secure large organizations and enterprises,” he explained. “I was basically taking the methodology that I used as a hacker and applying it in a structured format.”
But Kelley admits he was “extremely naive about the stonewalling of the terms”, and soon realized his business idea would never go ahead as a result of the SCPO.
“A prison ill-equipped to deal with cybercriminals”
He spent most of his time behind bars reading books – and away from computers. As a result, his cybersecurity skills declined.
“The prison was ill-equipped to deal with hackers and cybercriminals. Due to the nature of my sentences and the presence of computers in the education department, I was not allowed by security to attend classes. Alternatively, I had the option of doing the work in the cell, which was only useful to pass the time,” he said.
“Prison is great for helping illiterate people who come into the system, so if you can’t read or write, for example, you’ll come out of it with useful skills if you think about it, but for people who aren’t at this level, prison will not be of any use to them in this context”.
Looking back on his hacking beliefs, Kelley has no regrets about launching cyberattacks on targets like TalkTalk because they taught him invaluable computer skills he can leverage in a cybersecurity role.
He is, however, remorseful about the impact his crimes have had on other people.
“I regret the blackmail, the fraud and all of which there were direct victims,” he concluded.
Only time will tell if he is able or allowed to use these skills to land a legitimate role in cybersecurity and stop others from doing what he did.