The Information Commissioner said TalkTalk’s security was found wanting
TalkTalk has been fined a record £400,000 by the Information Commissioner’s Office (ICO) for failures in its security which led to a hacker gaining access to its customers’ data.
The ICO found that TalkTalk could have avoided the cyber attack if it took a few basic security steps to protect the information it holds on its customers.
The technical weaknesses in TalkTalk’s security meant that between 15 and 21 October 2015, a hacker was able exploit holes in the system and swipe data, such as the names, addresses, date of birth and phone numbers of 156,959 customers.
The attacker also managed to gain access to the bank account details and sort codes of 15,656 customers, making the data leak that bit more severe.
TalkTalk found wanting
The attack on TalkTalk happened when data was accesses through the hacking of three vulnerable webpages the company inherited from Tiscali’s UK business in 2009. TalkTalk’s failure to scan this infrastructure to find security vulnerabilities is the reason behind the ICO’s hefty fine.
TalkTalk was apparently not aware of the fact the underlying database to the webpages was outdated and lacked support from its vendor. As such, TalkTalk was not aware of a bug, which has a fix for it, was lying amongst the infrastructure.
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” said Information Commissioner Elizabeth Denham.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
TalkTalk’s fine comes courtesy of it being found to have breached the seventh principle of the Data Protection Act for failing to have appropriate security measures in place to protect its customers’ data.
TalkTalk sent a statement to TechWeekEurope highlighting how it had coperated wit hte ICO and was respectful if disappointed in the decision.
“During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset,” said a spokesperson.
“This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business,” the company said. “As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”
Data leaks are becoming prevalent in all manner of tech businesses, notably Yahoo of late, which saw a hack attack two years ago result in the leaking of 500 million of its user accounts, though ironically Yahoo seems quite happy to part with data given its involvement in creating a surveillance system for US intelligence agencies to snoop on its users’ emails.
Can you protect your privacy online? Take our quiz!