TalkTalk has been handed a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access the data of 156,959 customers “with ease”.
In an unfortunate coincidence for the telecoms firm, the penalty comes in the same week that it launched its latest marketing campaign, ‘This Stuff Matters’.
Personal information exposed included names, addresses, dates of birth, phone numbers and email addresses. In over 15,000 cases, the attacker also had access to bank account details and sort codes.
The attacker used a SQL injection to extract the data from a customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
Information Commissioner Elizabeth Denham said: “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. A criminal investigation by the Metropolitan Police is also underway.