Matthew Hanley, 23, and Conner Allsopp, 21, both of Tamworth in England, received their sentences at the Old Bailey in London on Monday. Hanley was sentenced to 12 months' imprisonment and Allsopp to eight months.
The sentences were issued after both men had previously pled guilty to offences under the UK's Computer Misuse Act.
Hanley was responsible for "hacking the TalkTalk database, obtaining files to enable the hack of websites and supplying these files to others". He also supplied a spreadsheet of TalkTalk customer details for use in fraud, the Metropolitan Police Service said in a statement.
Allsopp was responsible for supplying an article for use in fraud and supplying a computer file to enable hacking intended for the commission of an offence under the Computer Misuse Act, the Met said.
"An intensive investigation into Hanley’s communications uncovered evidence concerning his involvement in the hack and actions he took to destroy and conceal evidence," the Met said. "Having successfully gained access and acquiring the data, he instructed Allsopp to sell the data on his behalf for financial gain."
"[Allsopp] admitted attempting to sell the customer data Hanley had stolen and sell details of TalkTalk vulnerabilities that would have enabled others to hack into the TalkTalk database," it said.
In October 2015, TalkTalk reported that it had been the victim of a "significant and sustained" cyber attack. The company initially warned all four million of its customers that their personal data may have been compromised, but subsequently established that the incident impacted approximately 157,000 customers.
TalkTalk was fined £400,000 by the Information Commissioner's Office (ICO) – a record fine at the time – after the watchdog found it responsible for a serious breach of UK data protection laws. The ICO uncovered a number of "matters of serious oversight" in TalkTalk's data security practices in the run-up to the attack, which included operating outdated software and not undertaking "appropriate proactive monitoring" for system vulnerabilities.
In late 2016, a 17-year-old was fined £85 and handed a 12-month youth rehabilitation order over their role in the TalkTalk cyber attack. The youth admitted to seven offences under the Computer Misuse Act. The Crown Prosecution Service said at the time that they had "used software illegally to hack the website" of TalkTalk and then "posted information about the vulnerability on a website accessible to others".