TalkTalk have been penalised with a £400K fine after a mass cyber attack last October led to the release of sensitive customer data.
Poor security measures at the firm allowed hackers to access the personal details of 150,000 customers, including the sensitive financial data of more than 15,000 individuals. The Information Commissioner’s Office (ICO) fined TalkTalk and said the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information”.
The hackers that targeted the TalkTalk database used a well-known cyber attacking technique known SQL injection. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO stated.
“On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.”
The bug, which could have been prevented had the proper security provisions been in place, allowed hackers to easily obtain customers’ information. Despite defences made by TalkTalk representatives, ICO have concluded that the internet provider should have been more thorough in implementing proper security systems.
TalkTalk experienced two similar cyber attacks earlier that year which should have served as a warning and provoked improvements to its software and data storage systems, ICO has maintained.
ICO commissioner Elizabeth Denham commented:
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.”
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”, said Ms. Denham.
The fine is the largest issued fine in the history of the ICO, which has the authority to issue fines up to £500,000.
