TalkTalk fined £400,000 for theft of customer details

  • Published
TalkTalk head office in LondonImage source, PA

TalkTalk has been fined a record £400,000 for poor website security which led to the theft of the personal data of nearly 157,000 customers.

The cyber attack on its website took place in October last year.

The Information Commissioner's Office, external, which imposed the fine, said security was so poor that the attack succeeded "with ease".

TalkTalk said the fine was "disappointing" as it had "co-operated fully" with the investigation.

"The TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves."

The fine is the largest yet imposed by the ICO, which under its powers could have imposed a maximum fine of £500,000.

'No excuse'

The Information Commissioner, Elizabeth Denham, said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease."

"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.

"TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action," she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.

Database software, which held details of customers inherited from the 2009 takeover of a rival firm, Tiscali, was out of date.

As a result, the attacker got hold of the customers' details by attacking three vulnerable web pages, using a well known hacking technique called SQL injection.

Image source, PA

A bug, which could have been fixed, allowed the attacker to by-pass restrictions, but the company was simply unaware of the problem or that it could be solved easily.

That was despite two previous, similar cyber attacks earlier in 2015 that should have alerted the firm to the problems with its software and data storage.

"In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting," said Ms Denham.

"Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.

"Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."

Arrests

A police investigation of the data theft is still going on.

In May, TalkTalk revealed that the attack had cost it £42m and that 101,000 subscribers had left in the aftermath of the attack.

The firm said at the time of the attack that it appeared to be an attempt to extort money.

Six people, all under 21 years old, have been arrested as part of the police investigation.