TalkTalk has been fined a record £400,000 for security failings over a cyber attack which allowed customer data to be accessed ‘with ease’, a watchdog announced.
The Information Commissioner’s Office said the attack last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
Personal data of 156,959 customers including names, addresses, dates of birth, phone numbers and email addresses was said to have been accessed.
One cyber expert labelled the attack ‘the Great Train Robbery of the 21st century’.
Another specialist said he warned the company over its cyber security a year before the attack but claimed they failed to implement sufficient changes.
Adrian Culley, a former Metropolitan Police detective who specialised in such cases, told the Sunday Telegraph last October: ‘It is the Great Train Robbery of the 21st century.
‘There is a potentially huge liability for TalkTalk as a result of this. Future compensation payments could put them out of business.’
The ICO said that in 15,656 cases, the attacker had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: ‘TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
‘Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.
‘TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009, the ICO said.
It added that the data was accessed through an attack on three vulnerable webpages in the ‘inherited infrastructure’.
TalkTalk was said to have failed to properly scan this infrastructure for possible threats and was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider, according to the ICO.
The company said it did not know at the time that the software was affected by a bug – for which a fix was available, the watchdog said, adding: ‘The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.’
The attack was said to have used a common technique known as SQL injection to access the data.
SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.
Ms Denham said: ‘In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.
‘Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
‘Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.’
A TalkTalk spokesman said: ‘TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
‘During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset.
‘This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
‘As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.’