Ouch. The Information Commissioner’s Office (ICO) has today battered budget ISP TalkTalk with a “record fine” of £400,000 because of “security failings” that occurred during last October’s devastating personal data breach and cyber-attack.
The attack was the result of a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against their website (here), which ultimately resulted in masses of personal customer and financial data being stolen.
According to the ICO, the data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali UK in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure.
The ICO further states that TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. This database was also using outdated and unsupported software, which was affected by a known SQL bug that TalkTalk failed to fix.
Elizabeth Denham, Information Commissioner, said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
In the end the hacker was able to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In another 15,656 cases, the attacker also had access to sensitive bank account details and sort codes.
At the time TalkTalk’s CEO, Dido Harding, was both prompt in reporting the incident and engaging with the public. However the ICO does not appear to have been in a very forgiving mood (much like the ISP’s own customers) and has today hit them with a large £400,000 fine.
However it’s hard to feel sorry for TalkTalk, especially since they had “two early warnings” that they were unaware of. The first was a successful SQL injection attack on 17th July 2015 that “exploited the same vulnerability in the webpages” and then a second attack was launched between 2nd and 3rd September 2015. Doh!
Elizabeth Denham added:
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.
Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Mind you the fine pales in comparison to the tens of millions of pounds that TalkTalk has lost or expects to lose as a result of the incident, not least due to the cost of updating their systems and all of the subscribers whom understandably chose to abandon ship.
Since then a number of people, including several children, have been arrested as part of the related police investigation. At the end of last month a Westminster Court heard how Daniel Kelley (19), who was arrested in Llanelli (South Wales) at the end of last year on suspicion of blackmail, attempted to extort 465 Bitcoins (worth £216K) from TalkTalk following the devastating 2015 Cyber-Attack on their systems (here).
Daniel Kelley is also accused of carrying out similar attacks and making related blackmail demands against several other companies from around the world.