TalkTalk fined £400k for failing to prevent cyber attack
An investigation by the Information Commissioner’s Office, which imposed the fine, found the attack last October could have been prevented if TalkTalk had taken “basic steps” to protect customers’ information.
ICO investigators found the cyber-attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems.
The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses.
In 15,656 cases, the attacker also had access to bank account details and sort codes.
The firm had four million customers at the time.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009.
It was accessed through an attack on three vulnerable webpages within the inherited infrastructure.
Denham said: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.