The Information Commissioner has issued internet service provider TalkTalk with a record £400,000 fine for failing to prevent an attack in 2015 which exposed the personal details of nearly 157,000 customers.
The breach revealed names, addresses, dates of birth, phone numbers and email addresses. In nearly 16,000 cases, hackers also gained access to bank account details and sort codes.
The ICO’s investigation found that security failings enabled hackers to access customer data “with ease” and failed to notice two early warnings.
In October last year, attackers successfully targeted three vulnerable webpages to gain access to a customer database which TalkTalk acquired when it bought the UK operations of Italian telecommunications firm Tiscali in 2009.
ICO investigators revealed that TalkTalk had failed to scan the database for possible threats and did not realise the software was outdated.
Staff also failed to identify a bug in the outdated code, for which a fix was available. The ICO ruled that the method of attack, an SQL injection, is well understood. It added that TalkTalk had failed to identify two earlier SQL attacks which could have alerted staff to the vulnerabilities.
Elizabeth Denham, the newly installed Information Commissioner said in a statement:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.
In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
TalkTalk has responded to the fine with the following statement:
“TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.”
“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”
The £400,000 fine is the largest ever issued by the ICO, which can require companies to pay out up to £500,000.