The Information Commissioner’s Office issued the fine – the largest ever for a data protection incident – to the company following an investigation after it found it was easy for hackers to access customer data.
Investigators from the ICO found that hackers were able to get into TalkTalk’s systems “with ease” and take advantage of “technical weaknesses.”
In total, 156,959 TalkTalk customers had their personal details stolen by hackers who accessed names, addresses, dates of birth, phone numbers and email addresses. There were also 15,656 incidents where the hacker had access to the bank account details and sort codes of customers. In addition, 28,000 customers had their obscured credit and debit card number accessed.
Under the 7th principle of the Data Protection Act (DPA), companies have a responsibility to securely hold customer data and ensure that it is protected. Elizabeth Denham, the Information Commissioner, said TalkTalk “should have done more” to protect customer information and that it failed to “implement the most basic cyber security measures.”
Cyber Security expert, Pavankumar Bolisetty stated, the key to the size of the fine against TalkTalk was the inclusion of bank details.
“The incident is only part of the story – the underlying breach is the failure to have appropriate measures in place,” Pavankumar Bolisetty said. “The hackers exploited a bug for which a fix existed. Not fixing a known problem is the definition of failing to put appropriate measures in place.”
The ICO detailed that just three vulnerable web pages within an “inherited infrastructure” allowed the user data – which counts as personal information under the Data Protection Act – to be compromised. Through the webpages it was possible for a customer database to be accessed – the software behind the database was said to be “outdated”.
“The company said it did not know at the time that the software was affected by a bug, for which a fix was available,” the ICO’s office said in a statement. If the software had been fixed the attack would not have been possible and an SQL injection was used to access the database.
The ICO also said TalkTalk was targeted by two other SQL attacks in 2015 and should have spotted these and fixed problems. TalkTalk initially said the hack was “significant” and then downgraded the issue to being “much more limited”. The Information Commissioner has not taken the same view.
It’s not the first time an organisation has been fined by the ICO for having poor website security. In 2014, The British Pregnancy Advice Service was fined £200,000 after “thousands” of its users’ details were accessed by a hacker.
In February TalkTalk revealed the damage the hack caused to its business. Financial results showed the company suffered a £15 million trading impact and extra “exceptional” costs of £40m to £45m during the third quarter of 2015. It also shed customers: 95,000 of the 101,000 subscribers it lost during three months were because of the hack.