Information Commissioners Office rules incident last October, which saw the personal details of more than 150,000 customers accessed, could have been stopped
TalkTalk has been issued with a record £400,000 by the Information Commissioner’s Office (ICO) for failing to prevent a cyber attack on its systems last year.
Following an in-depth investigation, the ICO found the attack could have been stopped if the telecoms firm, had it taken basic steps to protect customers’ information. Investigators said the attack from October 15-21, 2015 “took advantage of weaknesses in TalkTalk’s systems”.
The attacker accessed the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Security failings
Data was taken from an underlying customer database that was part of TalkTalk’s acquisition of rival Tiscali’s UK operations in 2009, and this was accessed through an attack on three vulnerable webpages within that infrastructure.
The ICO ruled that TalkTalk failed to properly scan this infrastructure for possible threats and was therefore unaware the vulnerable pages existed or that they enabled access to a database holding customer information.
Investigators found the company the installed version of the database software was outdated and no longer supported by the provider, which said it didn’t know at the time that the software was affected by a bug – for which a solution was available.
This allowed the attacker to bypass access restrictions but had this been fixed, this would not have been possible.
‘Found wanting’
A technique known as SQL injection was used by the attacker. The ICO said this is well understood but defences didn’t exist and TalkTalk should have known it posed a risk.
In addition, TalkTalk had two early warnings that it was unaware of. The first was a successful SQL injection attack in July 2015 that exploited the same vulnerability in its webpages. A second attack was launched between September 2-3, 2015.
Denham continued: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Disappointed
In a statement, TalkTalk labelled the ICO’s decision to impose the record fine on it as “disappointing” and claimed the attack was notable for its decision to be immediately open with its customers, providing them with the best chance of protecting themselves. It maintained this was the right approach for them and TalkTalk as a business.
“TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”
TalkTalk said it discovered it had been attacked on October 21 while investigating latency on talktalk.co.uk. It took the websites offline and informed law enforcement agencies and the security services. The ICO was also notified in line with its statutory obligations.
Customers were informed the following day as the company tried to establish exactly what had happened and who had been affected. It said it kept them updated throughout, giving them advice on protecting themselves from scammers, and also offered all of them 12 months free credit monitoring.
It found that the personal details of 156,959 customers had been accessed but said there is no evidence to suggest they had been impacted directly as a result of the attack, and has launched a nationwide educational campaign called ‘Beat the Scammers’ to help the public stay safe from fraudsters.
