TalkTalk has been hit with a record £400,000 fine for the cyber attack in 2015 that exposed personal details of more than 150,000 customers.
The new information commissioner, Elizabeth Denham, said the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
“Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” said Denham, who took up her post in July.
“The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages in the inherited infrastructure,” it said.
“TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
“TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
“The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data.”
Denham said: “In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.”
“The record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Losses versus responsibilities
The Metropolitan Police is also running a criminal investigation, and in 2015 arrested five people aged from 15 to 20 in connection with the attack.
The ICO pointed out that SQL injection is a common vulnerability that has been well-understood for more than 10 years and for which known defences exist.
The attack accessed personal data of 156,959 customers, including names, addresses, dates of birth, phone numbers and email addresses. For 15,656 people, the attacker also had access to bank account details and sort codes.
“The ICO decided to issues its biggest ever fine to TalkTalk after taking into account a range of factors demonstrating the seriousness of the event. These included that TalkTalk should have known the legacy Tiscali pages existed, that there had been two previous attacks on the same vulnerable page but TalkTalk didn’t take any action and that the software was outdated,” said the ICO.
The maximum fine the ICO can issue is £500,000, but powers coming into force in 2018 mean the data protection watchdog could take this up to 4% of a company’s global revenue.
Read more about the TalkTalk data breach
- TalkTalk has overhauls security since its controversial data breach in 2015, according to CTO Gary Steen, and is investing in technology to beat its rivals on customer service.
- Most of the recommendations of a government committee inquiry into the TalkTalk breach have been welcomed, but pundits express reservations about some, particularly proposed new fines.
- TalkTalk CEO Dido Harding expects to lose between £30m and £35m as a result of its recent breach.
“If most companies are protecting their data with the latest state-of-the-art software and best practice procedures, any company behind the curve is at risk of serious fines and, of course, loss of reputation and business,” said Mark O’Halloran, a partner at law firm Coffin Mew.
However, some observers questioned whether even a record ICO fine is really enough to make companies improve their security practices.
“Although this may be called a record fine at £400,000, it is insignificant to the turnover and customer base of TalkTalk and little more than a sting to TalkTalk’s finances,” said Mark Skilton, professor of Practice at Warwick Business School.
“It still only equates to £2.50 per head or £25 per person who lost banking data. The fine seems to be ‘proportionate’ to the impact, but shows little regard for the possible risks and lack of due diligence of a company with four million subscribers,” he added.
“The money from the fine could have been invested in better security staff in the organisation and further investment in cyber monitoring and response detection, but it raises the question over current legal punitive measures that focus on specific losses as opposed to corporate responsibilities. TalkTalk seem to have got off lightly.”