TalkTalk fined £400,000 for hack attack security blunder

Record penalty dished out by ICO over lack of basic security to prevent attack.

Kelly Fiveash – Oct 5, 2016 2:14 pm | 9

Credit: TalkTalk

Budget telco TalkTalk has been slapped with a record £400,000 fine from the UK’s data watchdog, after it failed to protect its customers’ sensitive information against a hack attack on its systems a year ago.

The Information Commissioner’s Office said on Wednesday that TalkTalk’s “technical weaknesses” meant that miscreants had been able to swipe its customer data “with ease,” and added that the attack could have been prevented had basic security been in place.

TalkTalk’s security breach affected nearly 157,000 subscribers, some of whom had their “obscured credit and debit card numbers” stolen in the attack. It led to a direct “trading impact” of £15 million, after the telco was forced to cut off access to its online services as it scrambled to secure its websites following the breach, which the company is still reeling from a year on.

Earlier this week, TalkTalk—which continues to watch its customer base fall—said that it wouldn’t hike prices for 18 months. Perhaps it was a marketing move to preempt the ICO’s fine.

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” said Information Commissioner Elizabeth Denham.

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

The regulator also revealed that the targeted data was from an underlying customer database acquired by TalkTalk when it scooped up Tiscali’s UK operations in 2009. Hackers attacked three vulnerable webpages using the SQL injection method, the ICO said, after TalkTalk had failed to spot that the software was affected by a bug, which could have been easily patched.

Prior to the now infamous October attack, TalkTalk’s system had been breached twice—first in July and again in September 2015, the watchdog said.

Denham added that the record fine, which was slapped on TalkTalk for breaching principle seven (information security) of the Data Protection Act, was a warning to other businesses: “cyber security is not an IT issue,” she said, “it is a boardroom issue.”

TalkTalk said it was disappointed with the fine but accepted the ICO’s decision. It said:

During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.

As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.

Scotland Yard’s probe of the hack attack is separate from the ICO’s investigation.