Due to its poor data security, which led to the theft of the personal data of over 150,000 customers last year, TalkTalk has been fined £400,000 by the Information Commissioner's Office (ICO).
An investigation by the ICO found that the attack could have been prevented. Elizabeth Denham, Information Commissioner stated, “TalkTalk's failure to implement the most basic cyber-security measures allowed hackers to penetrate systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The fine is the largest given by the ICO, which under its powers could have distributed a maximum fine of £500,000, according to the BBC. Jes Breslaw, EMEA director of strategy at Delphix argues, "Had the EU's GDPR been in operation, that fine could have been in the region of £70 million, based on four percent of annual worldwide turnover for the year in question."
The data was taken from an underlying customer database that was part of TalkTalk's acquisition of Tiscali's UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure, which TalkTalk failed to properly scan for possible threats.
Commenting on the fine, Nigel Hawthorn, chief European spokesperson at Skyhigh Networks said, “The lesson to other organisations is crystal clear – data is the crown jewels of your business; treat it with the utmost respect, secure it in every way possible both from malicious actors and inadvertent loss or misuse by employees and subcontractors. You are responsible to your employees, customers and suppliers to keep their data safe from the second it is collected.”
In emailed commentary to SCMagazineUK.com, Robert Ganpatsingh, partner at DMH Stallad and cyber-crime specialist said, “The data breach had a huge impact on TalkTalk customers: over 150,000 customers' details were accessed by hackers. Details accessed included names, addresses, dates of birth, email addresses and phone numbers. Even more seriously, over 15,000 customers had their bank account details accessed. With the overwhelming likelihood that the data taken was passed on to other parties for fraudulent activity, the fallout from this single data breach may be massive.”
“Today's record fine acts as a warning to others that cyber-security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant,” Denham concluded.
A police investigation, run by the Metropolitan Police and separately from the ICO's investigation, of the data theft is still going on.