TalkTalk only fined £400K for massive data breach

By:
Bill Boyle
Published on:

TalkTalk has been fined 'a record' £400,000 by the Information Commissioner's Office after a huge breach of its customers' data last year

TalkTalk has been fined a record £400,000 by the Information Commissioner's Office (ICO) after a huge breach of its customers' data last year.

The October 2015 cyber-attack saw the data of 157,000 people accessed after weaknesses in TalkTalk webpages were exploited. The stolen information included customers' names, addresses, dates of birth, phone numbers and email addresses. Financial information and  details such as bank sort codes were also stolen.

Information rights regulator the ICO has now decided to hand out its biggest-ever fine after investigating the breach and finding the firm's "failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease."

Despite the fact that is the ICO’s largest ever fine many feel that TalkTalk has walked away from a hugely damaging affair for its customers relatively unpunished.

Information commissioner Elizabeth Denham said: "Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not – and we have taken action."

TalkTalk responded to the ruling with a terse statement on its website: "We have co-operated fully with the ICO at all times and, while this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.”

Amazingly TalkTalk attempted to make light of the breach, arguing that: "During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business. As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time."

The facts are slightly different. When it suffered the first serious data breach in November 2014, it did not disclose details of the attack until February 2015. On that occasion, customers’ account details and contact numbers were stolen and used by fraudsters who impersonated TalkTalk’s fraud department to steal money via customers’ computers.

In a further incident, it took 36 hours before TalkTalk released details of the security breach. Keith Vaz, Labour MP and ex-chairman of the Home Affairs Select Committee, at the time, questioned the length of time it took to report the attack and said: "it would not be regarded by the public as acceptable.”

TalkTalk had experienced cyber breaches before, yet failed to implement effective firewalls. Although CEO Dido Harding described the breach as a “sequential attack,” it appears that the website was in fact the victim of an SQL injection attack. This is a code injection technique used to attack data-driven applications, which exploits a vulnerability in the software.  These attacks are among the most common and critical threats, allowing hackers to access confidential information and it is not excusable that it allowed its sytems to be vulnerable to this type of schoolboy attack vector.