TalkTalk gets record £400k slap-slap from Brit watchdog

Details of carelessness disclosed with in-depth investigation of breach


The UK Information Commissioner's Office (ICO) has issued TalkTalk with a record £400,000 fine for allowing attackers to access customer data “with ease”.

The penalty comes at the same time as the ICO publishes its in-depth investigation of last October's megabreach, which the office claims “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.”

According to the investigation, Brit ISP TalkTalk had hosted three webpages that were vulnerable to SQL injections. These had been brought into TalkTalk's infrastructure following its acquisition of Tiscali in 2009, but the company had failed to properly assess the IT for possible threats.

Exploiting this vulnerability, an attacker managed to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 of these cases, the attacker also had access to bank account details and sort codes.

Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong,” Denham added, “but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

TalkTalk's security failures extended to ignorance that its database software – which was unspecified – was not only outdated, but in fact so old that it was no longer even supported by the provider.

The company said it did not know at the time that the software was exploitable by the easily fixed SQL injection vulnerability, although it had received two early warnings that it said it was unaware of, including a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages, and a second attack that was launched between 2 and 3 September 2015.

Denham stated: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.”

She added: “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation. ®

Similar topics


Other stories you might like

  • UK watchdogs ask how they can better regulate algorithms
    We have bad news: you probably can't... but good luck anyway

    UK watchdogs under the banner of the Digital Regulation Cooperation Forum (DRCF) have called for views on the benefits and risks of how sites and apps use algorithms.

    While "algorithm" can be defined as a strict set of rules to be followed by a computer in calculations, the term has become a boogeyman as lawmakers grapple with the revelation that they are involved in every digital service we use today.

    Whether that's which video to watch next on YouTube, which film you might enjoy on Netflix, who turns up in your Twitter feed, search autosuggestions, and what you might like to buy on Amazon – the algorithm governs them all and much more.

    Continue reading
  • Brit watchdog fines financial services biz £80k for text spam
    Company changed address to avoid probe after sending 378,553 messages

    Britain's data watchdog has issued an £80,000 penalty to a financial advisor that dispatched hundreds of thousands of unsolicited text messages during lockdown.

    H&L Business Consulting, based in Penrith, Cumbria, was found by the Information Commissioner's Office (ICO) to have sent 378,553 texts between January and June 2020, resulting in more than 300 complaints [PDF].

    The spam promoted the debt management scheme devised by UK government as the outbreak of the novel coronavirus morphed into a pandemic. This is despite the fact that H&L Business Consulting was unauthorized by the Financial Conduct Authority to sell regulated financial products or services.

    Continue reading
  • UK criminal defense lawyer hadn't patched when ransomware hit
    Brit solicitor fined after admitting it took 5 months to install critical update

    Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

    The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.

    The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

    Continue reading

Biting the hand that feeds IT © 1998–2022