Telecoms company TalkTalk has received a record £400,000 fine for security failings that allowed a cyber attacker to access customer data “with ease”.
Following an in-depth investigation, The Information Commissioner’s Office (ICO) found that an attack on the company last year could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
The ICO said the cyber-attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems.
The personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses had been accessed by the attacker.
In 15,656 cases, the attacker also had access to bank account details and sort codes.
Elizabeth Denham, ICO information commissioner said TalkTalk should have done more to safeguard its customer information and because it failed to do so, action has been taken.
She said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009.
The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure.
The ICO said TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk said it was not aware that the installed version of the database software was outdated and no longer supported by the provider.
The company added it didn’t know at the time that the software was affected by a bug, for which a fix was available and allowed the attacker to bypass access restrictions.
The ICO said that if it been fixed, this would not have been possible.
Ms Denham added: “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for, a breach of the seventh principle of the Data Protection Act.
A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.
Mark Skilton, cyber security expert and Professor of Practice at Warwick Business School said: "Although this may be called a record fine at £400,000, it is insignificant to the turnover and customer base of TalkTalk and little more than a sting to TalkTalk's finances.
"Even by factoring in the reported numbers of 157,000 personal details and, of those, the 16,000 who had bank details stolen, it still only equates to £2.50 per head or £25 per person who lost banking data. The fine seems to be 'proportionate' to the impact, but shows little regard for the possible risks and lack of due diligence of a company with 4 million subscribers.
"Even if liability insurance may have covered the possible losses of those customers, it still raises questions over digital risk governance and how necessary it is for corporates to take it seriously.
Mr Skilton said the £400,000 fine could have been invested in better security staff in the company and further investment in cyber monitoring and response detection.
He added: "TalkTalk seem to have got off lightly here even if their argument is that the millions of customers were not at risk: a strong message and fines approach needs to be in place for corporates to manage and treat cyber security as a real corporate risk and not just a customer data mismanagement issue."