TALKTALK HIT WITH RECORD £400,000 FINE OVER ITS 2015 DATA BREACH
TalkTalk has been hit with a record £400,000 fine following a data breach affecting more than 150,000 customers. The Information Commissioner’s Office (ICO) issued the penalty after its investigation revealed the data breach, which occurred last October, could have been prevented.
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” said information commissioner Elizabeth Denham.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The cyber attack, which took place between October 15th and 21st last year, saw hackers access 156,959 customers’ personal data “with ease”, including their names, addresses, dates of birth, phone numbers and email addresses, the ICO said.
In 15,656 of these cases, they also had access to bank account details and sort codes. The ICO explained the hackers took advantage of a flaw in three web pages that allowed them to access a database that was part of TalkTalk’s 2009 acquisition of Tiscali’s UK business.
It said the firm was not aware that the version of the database software it was running was outdated and no longer supported, nor that it was affected by a bug that allowed the attackers to bypass security with an SQL injection.
If an available fix had been used, the ICO said the attack would not have been possible. It said two attacks exploiting the same vulnerability happened in July and September 2015, and these should have served as a warning for TalkTalk.
“In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting,” Denham said. “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”