TalkTalk gets record £400,000 fine for failing to prevent cyber attack
TalkTalk has been fined £400,000 for the security failings that allowed a cyber attack to take place last October.
The fine is the biggest ever issued by the Information Commissioner’s Office and follows an in-depth investigation by the ICO.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.
“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
In the attack, which took place between 15 and 21 October 2015, the personal data of 156,959 TalkTalk customers was accessed, including names, addresses, dates of birth, phone numbers and email addresses.
In 15,656 cases, the attacker also had access to customers’ bank account details and sort codes.
Investigators say the attack took advantage of technical weaknesses in TalkTalk’s systems – specifically three vulnerable webpages that formed part of the inherited infrastructure following TalkTalk’s acquisition of Tiscali in 2009.
It was TalkTalk’s failure to scan these pages for possible threats – and the presence of a bug for which a fix was available – that allowed the attacker to access a database containing customer information.
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” said Ms Denham.
'Open and honest'
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The attack was discovered on 21 October 2015 during an investigation into latency on talktalk.co.uk.
After receiving a ransom demand, TalkTalk took a number of its websites offline and informed the police. The company informed its customers of the attack the following day.
Over the following three months, TalkTalk lost 100,000 customers and has estimated the total cost of the attack to have been around £60m.
The company was criticised for not allowing customers to leave their contracts without paying a cancellation fee, but did offer people free upgrades to their packages.
A TalkTalk spokesperson said: “TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
“During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset.
“This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”
Why do we need your postcode?
Once you enter your postcode, Cable.co.uk will perform a live lookup and check all the available providers in your area.
This ensures you receive accurate information on the availability of providers and packages in your area.
Your information is safe with us. We won't share your postcode with anyone. Guaranteed.