TalkTalk have been issued with a record fine of £400,00 by the ICO (Information Commissioner’s Office) following their large scale data breach back in October 2015, due to their widely publicised security failings.
The in-depth investigation carried out by ICO found that the attack on the phone and broadband provider could have been prevented if TalkTalk had taken some basic steps to protect their customers’ data. The report stated the firm allowed the cyber attacker to access customer data “with ease”.
It’s been confirmed by ICO’s investigators that the attack took advantage of several technical weaknesses in TalkTalk’s systems, allowing attackers to access the personal data of over 155,000 customers. The information stolen included names, addresses, dates of bird, phone numbers, as well as email addresses. In over 15,000 cases, the assailant was also able to access bank account details and sort codes of victims.
The ICO said TalkTalk failed to properly scan their infrastructure for potential threats, so were unaware the vulnerable pages existed, or that they enabled access to a database that held customer information. They were also unaware the installed version of their database software was outdated; so was no longer supported by the provider.
Information Commissioner Elizabeth Denham commented on the latest update;
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
On top of this, the Metropolitan Police has also been running a separate criminal investigation, which is still ongoing.
A spokesperson for TalkTalk did not indicate if they will appeal the fine;
“TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of customers.
During a year in which government data showed 9 in 10 large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”