TalkTalk has been slapped with a record £400,000 fine by the Information Commissioner’s Office for security failings that allowed a hacker to access sensitive customer data direct from its systems “with ease”.
The “car crash” hack, which hit the company last October, has already cost TalkTalk an estimated £60m and led to tens of thousands of customers defecting to rivals.
The ICO’s in-depth investigation found that the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
ICO investigators found that the cyber attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate [its] systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.
On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.
Denham added: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for. This is a breach of the seventh principle of the Data Protection Act. It is not yet known whether TalkTalk plans to appeal against the £400,000 fine.
Six people, including three teenagers, have been arrested over the incident, on suspicion of offences under the Computer Misuse Act. The arrests were made in Llanelli, County Antrim, Feltham, Norwich, and Staffordshire.
TalkTalk flayed over brutal treatment of pensioner
TalkTalk hits back at ‘worst customer service’ claim
TalkTalk claims bounceback despite slump in profits
Coppers told TalkTalk to keep schtum over breach
Three held at TalkTalk call centre for data theft
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack