TalkTalk hit with £400,000 fine over 2015 data breach

October 6, 2016 // 9:17 a.m.

Tags: #baroness-warsi #elizabeth-denham #ico #information-commissioner #insecurity #patch #privacy #security #sql-injection #talktalk #vulnerability

The Information Commissioner's Office (ICO) has officially ruled against TalkTalk in its investigation into last year's security breach at the company, fining it £400,000 for failing to protect its customers.

TalkTalk confirmed that it had been breached in October 2015, with attackers walking off with customers' personal details up to and including bank account information and credit card details. While the company pointed to a sophisticated attacker, the following arrests suggested otherwise. To add insult to injury, the company also found itself on the end of a very public backlash following comments from company head Baroness Harding that the data 'wasn't encrypted, nor are [we] legally required to encrypt it' - a somewhat scatty interpretation of the Data Protection Act with which the Information Commissioner's Office appears to entirely disagree.

'TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,' said Information Commissioner Elizabeth Denham in a statement on ICO's findings against TalkTalk. 'Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.' The ICO investigation unveiled a string of security gaffes at the company, beginning with a refusal to encrypt personal data and running through an unwillingness or inability to scan publicly-accessible web pages for known security flaws, use of an outdated database package long since abandoned by its provider and for which no support was available, a security vulnerability in said database software for which a fix was available but had not been installed by TalkTalk, and ignorance of two 'early warning' attacks against the same vulnerabilities in July 2015 and September 2015.

ICO's resulting action is a record £400,000 fine, though that comes as a very small cherry on top of a sundae of fiscal fallout for the company: TalkTalk has estimated the cost of the attack at around £35 million, and lost more than 100,000 customers as a direct result of a loss of confidence in its security.

'TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers,' the company claimed in a prepared statement on the ruling. 'During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business. As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.'

QUICK COMMENT

View this in the forums

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU