Telecoms giant TalkTalk has been issued a record £400,000 fine by the Information Commissioners Office (ICO), after poor data security resulted in over 156,000 customers’ details being stolen from the company in a hack.
The ICO’s investigation found that the attack on the company in October 2015 could have been avoided had the telecoms company taken “basic steps” to protect customers’ information.
As a result of TalkTalk’s security failings, hackers accessed names, addresses, dates of birth, and contact details for 156,959 people. Worse still, in about 10% of cases bank details were also stolen.
Information Commissioner Elizabeth Denham says: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
How did the hack happen?
Hackers targeted a customer database that TalkTalk acquired from fellow telecommunications company Tiscali in 2009. The database used out of date security and was vulnerable to attacks. The ICO found TalkTalk was unaware of its security flaws, and unaware it had enabled access to sensitive customer information.
Moreover, TalkTalk also failed to spot two earlier security breaches in July and September 2015, which should have provided a warning sign ahead of the October breach.
Ms Denham says: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
A spokesperson for the telecoms company says: “TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.”
The spokesperson adds that TalkTalk is unable to comment any further, due to a separate ongoing criminal investigation by the Metropolitan Police.