A ‘CYNICAL and ruthless’ hacker, motivated by spite and greed, targeted the computer systems at Withybush Hospital, The Herald can confirm.

Daniel Kelley, now aged 21, hacked into networks at Withybush and Prince Philip Hospital, Llanelli. When he did so, he prevented radiographers from viewing vital diagnostic images used to plan treatment for patients. The hacker also disrupted communications between different Health Board sites.

The Court heard that Kelley’s actions caused ‘a serious clinical risk of a catastrophic outcome’.

The hack cost the Welsh Government, which runs big public networks, £400,000 to repair its systems, improve its security systems, and prevent further hacks.

Kelley’s efforts in disrupting vital public services began when he implemented a Distributed Denial of Service attacks at Coleg Sir Gar, where he was a student.

Prosecutors alleged that Kelley’s motivation on that occasion was spite at being denied a place on a Level 3 computing course due to poor performance in his GCSEs.

A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or another network resource, and cause a denial of service for users of the targeted resource.

In Kelley’s case, he deliberately targeted the College’s computer infrastructure, causing disruption to systems accessed by students and teachers, including examinations.

Having accessed the College network, Kelley was able to exploit its connection to wider Welsh public service computer infrastructure and caused targeted disruption to other bodies which shared the network’s resources.

There is no sign that Kelley committed these acts for anything other than his amusement and the feeling of power it gave him.

While Kelley’s activities had widespread adverse consequences, his next step presented a major escalation.

He hijacked the computer systems of companies in Australia and Canada. The targets included Zippo Lighters, Rogers Communications, RC Hobbies, ISP JISC, TAFE Queensland, and a court transcription service called For the Record in Australia.

He attempted to blackmail company executives by targeting their loved ones and making threats to collapse companies by wrecking their computer systems.

Kelley was arrested in July 2015 but his most audacious blackmail attempt was yet to come.

In October that year, together with a group of other hackers, Kelley took part in “significant and sustained cyber-attack” on TalkTalk.

The group broke into broadband provider TalkTalk’s customer database and stole a copy of its contents.

The stolen records included customer names and addresses, dates of birth, payment card details, phone numbers, and email addresses.

Around 157,000 customers in the UK were caught up in the hack, which was said to have cost TalkTalk £77m to clean up and cost it immeasurably more in lost customer confidence and income.

Kelley then attempted to extort £80,000 in exchange for not leaking the swiped customer database onto the web.

Peter Ratliff, prosecuting, described Kelley as a “prolific, skilled and cynical cyber-criminal” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety – behind the screen of a computer.

“Where confidential and sensitive information had been stolen in the hack – typically the personal and credit card details of the company’s clients – the defendant would threaten the company with the public release of the material, knowing and exploiting the fact that the release would risk the ruin of the company concerned.

“It is clear from the content of the emails that the defendant sent that he derived enjoyment and excitement from the power he wielded over those he sought to intimidate.”

Sentencing Kelley, Judge Mark Dennis said Kelley hacked computers “for his own personal gratification” regardless of the damage caused.

His attempts at blackmail revealed a “cruel and calculating side to his character”, Judge Dennis said.

Kelley was sentenced to youth detention due to his age at the time of his arrest.

A spokesperson for Hywel Dda University Health Board said “the NHS is increasingly reliant on the use of digital systems to support patient care we hope that this sentence will act as a deterrent to others from attempting to hack public sector organisations in Wales in the future.

“At the time, this hack caused a number issue in Hywel Dda including:-

• Radiologists were unable to effectively report on diagnostic images because the reporting / dictation system we use were unresponsive during the Denial of Service attacks at Prince Philip Hospital. This seriously interrupted clinical workflow and wasted a great deal of Radiologist time. This could have adversely affected the care of patents including those critically ill/injured as without prompt, reliable access to images there is a serious clinical risk.
• Our Patient Administration System at Prince Philip Hospital had response time issues causing difficulties on the Wards, A&E and Maternity departments as well as administrative areas like Medical Records.
• Experienced delays with ICT services at other Health sites in the Llanelli area including Ammanford and Cross Hands Health Centres.

“Following this incident Welsh Government bolstered the Public Sector network (which all public bodies in Wales use) with hardware and software to detect and stop denial of service attacks in the future and mitigate the risks as far as possible.”