TalkTalk handed record fine for failing to prevent 2015 cyber attack
TalkTalk has been handed a record £400,000 fine for security failings over a cyber attack which allowed customer data to be accessed "with ease", a watchdog has announced.
The Information Commissioner's Office (ICO) said the attack last October could have been prevented if TalkTalk had taken basic steps to protect customers' information.
Personal data of 156,959 customers including names, addresses, dates of birth, phone numbers and email addresses was said to have been accessed.
According to the ICO investigation, the attack took advantage of "technical weaknesses" in TalkTalk's systems to exploit it and access personal data.
Information Commissioner Elizabeth Denham said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease.
"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
The ICO also said that vulnerabilities in TalkTalk's system enabled hackers to gain access to the customer database.
"The data was taken from an underlying customer database that was part of TalkTalk's acquisition of Tiscali's UK operations in 2009," the ICO said.
"The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information."
The attack was said to have used a common technique known as SQL injection, a bug that is well known and for which defences already exist, the ICO investigation said, adding that TalkTalk "ought to have known it posed a risk to their data".
"The company said it did not know at the time that the software was affected by a bug - for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible."
The investigation also revealed that two earlier attempts had been made by hackers to compromise TalkTalk databases.
"In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting," Denham added.
"Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."