The data protection regulator the ICO has issued its biggest ever fine – £400,000 – to TalkTalk. The ICO (Information Commissioner’s Office) says that’s after taking into account a range of factors demonstrating the seriousness of the event. These included that TalkTalk should have known the legacy Tiscali pages existed, that there had been two previous attacks on the same vulnerable page but TalkTalk didn’t take any action and that the software was outdated.
The ICO says that it found that an attack on the company in October 2015 could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
ICO investigators found that the cyber attack, between October 15 and 21, took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO says. The telecoms company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on July 17, 2015 that exploited the same vulnerability in the webpages. A second attack was launched between September 2 and 3, 2015.
For ‘how the investigation unfolded’, visit https://ico.org.uk/.
The ICO found a breach of the seventh principle of the Data Protection Act. A criminal investigation by the Metropolitan Police has been running separately. For the statement by TalkTalk, click here.
Comments
John Madelin, CEO at cyber firm RelianceACSN, said: “This fine reinforces that TalkTalk’s approach to security was unacceptable. At the same time, this is a very small fine compared to what will be possible once the GDPR comes in. An information commissioner could have fined TalkTalk up to £40m given that their global turnover was estimated at close to £1bn. The cost of not doing security properly will increase substantially. Organisations must get serious about addressing basic security requirements. Many businesses are unable to tell you what their critical information assets are and where they are located. Companies are being distracted by new and emerging endpoints – such as IoT devices – and forgetting that data is the crucial point that must be secured. After all, it’s the data that is of value to hackers who must justify the time spent finding weaknesses in security with an end result that is worth money for resale or ransom – this is their ‘product’.
“Once a company has a clear picture of the critical data needing protection, they should ensure that they have properly integrated layers of security – rather than a collection of disparate tools. These layers must be supported by the right processes and a proactive stance to threat hunting. Businesses sharing intelligence and prevention advice between themselves is one way to further prevent against attacks, while a tougher stance from law enforcement will also make cybercrime a far less attractive proposition in the first place.
“Fines are controversial but essential to drive a stronger business interest in resolving the issues that resulted in the TalkTalk incident. Experience shows that making it personal awakens real appetite amongst the wider management team. This in turn results in the business owners, IT, and necessarily specialized Security teams talking and working together to deliver more integrated “built-in” rather than “bolt-on” solutions. This level of maturity is critical if we are to stem the tide of incidents such as this one.”
And Nigel Hawthorn, chief European spokesperson at cloud firm Skyhigh Networks, said: “I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer.
“However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.
“The lesson to other organisations is crystal clear – data is the crown jewels of your business; treat it with the utmost respect, secure it in every way possible both from malicious actors and inadvertent loss or misuse by employees and subcontractors. You are responsible to your employees, customers and suppliers to keep their data safe from the second it is collected.”
