» ISP News » 

UK ISP TalkTalk Hit by HUGE £400,000 Fine for Personal Data Breach

Wednesday, October 5th, 2016 (2:04 pm) by Mark Jackson (Score 918)
TalkTalk Logo 2017

Ouch. The Information Commissioner’s Office (ICO) has today battered budget ISP TalkTalk with a “record fine” of £400,000 because of “security failings” that occurred during last October’s devastating personal data breach and cyber-attack.

The attack was the result of a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against their website (here), which ultimately resulted in masses of personal customer and financial data being stolen.

According to the ICO, the data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali UK in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure.

The ICO further states that TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. This database was also using outdated and unsupported software, which was affected by a known SQL bug that TalkTalk failed to fix.

Elizabeth Denham, Information Commissioner, said:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

In the end the hacker was able to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In another 15,656 cases, the attacker also had access to sensitive bank account details and sort codes.

At the time TalkTalk’s CEO, Dido Harding, was both prompt in reporting the incident and engaging with the public. However the ICO does not appear to have been in a very forgiving mood (much like the ISP’s own customers) and has today hit them with a large £400,000 fine.

However it’s hard to feel sorry for TalkTalk, especially since they had “two early warnings” that they were unaware of. The first was a successful SQL injection attack on 17th July 2015 that “exploited the same vulnerability in the webpages” and then a second attack was launched between 2nd and 3rd September 2015. Doh!

Elizabeth Denham added:

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.

Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

Mind you the fine pales in comparison to the tens of millions of pounds that TalkTalk has lost or expects to lose as a result of the incident, not least due to the cost of updating their systems and all of the subscribers whom understandably chose to abandon ship.

Since then a number of people, including several children, have been arrested as part of the related police investigation. At the end of last month a Westminster Court heard how Daniel Kelley (19), who was arrested in Llanelli (South Wales) at the end of last year on suspicion of blackmail, attempted to extort 465 Bitcoins (worth £216K) from TalkTalk following the devastating 2015 Cyber-Attack on their systems (here).

Daniel Kelley is also accused of carrying out similar attacks and making related blackmail demands against several other companies from around the world.

Delicious
Add to Diigo
Leave a Comment
15 Responses
  1. TheFacts

    20% early payment discount.

  2. john

    Good – £1000 was pathetic.

  3. FibreFred

    Lesson learnt?

    Doubtful

  4. Billy

    So Talk Talk customers have £400,000 price increase. Yay for justice. That will make hackers think twice…

  5. Evan Crissall

    Great, now what about those BT hacks? The ones that saw “up to” 1.2 million BT Sport subscriber records stolen and traded on the Dark Web? Something truly meaty for Ms Denham to sink her gnasher teeth into. Or does she only “investigate” alleged breaches when it’s expedient for other reasons?

    Incidentally, a £400k fine is peanuts in the scheme of things.

    The media ambush against TalkTalk – ably assisted by ISPreview (!) has cost the company a reported £60 million. Totally dwarfing the paltry fine.

    Not to mention the assault on the group’s share price. In unison with the gangster-like short-selling of TalkTalk’s stock. With TalkTalk shares put on a rollercoaster ride from coordinated and sustained smears in the garbage meeja.

    Follow the money guys and gals. There’s plenty cash made from trashing a stock. Kerr-ching!

    You can kinda predict the next stage of this hacking psyop. Next blitz will be from the show-trial, when the twerps behind the ambush on TalkTalk’s reputation get to recycle the story yet again. Yaaaawn!

    • FibreFred

      Evan Crissall,

      You keep referring to the BT Sport hacks in your various guises, yet I’ve not seen anything on the Internet about them?

      I think last time you mentioned them you said BT had hushed up all of the media and removed any evidence from Google

    • Evan Crissall

      You’re working late tonight, FibreFred, on this forum and no doubt others! What does one earn these days as a plausibly-deniable “Online Perception Management Operative” ? Don’t bother answering. Doubtless Rule #1 in the Shill Rulebook is never admit you’re a Shill!

    • New_Londoner

      Welcome back from Liverpool Evan!

      You omitted to mention the TalkTalk hack was its fourth in a year, and the final one highlighted really poor data storage practices – it was very careless in the way it handled customer data.

      As for any other incidents with other companies, they (1) have no bearing on the TalkTalk case and (2) still need to be proven. Pointing the finger elsewhere is a classic Dido tactic (and is irrelevant), as is making things up if the facts rather inconveniently don’t fit.

  6. captain.cretin

    I must be a shill as well, because I havent heard a word about BT Sport being hacked.

    I HAVE heard of the jockey Federation being hacked – and blaming it on the high street banks instead of their moronic clients failing tp chang their bank details, passwords and accounts; like every other victim of hacking has to do.

    • Evan Crissall

      You’ll have to read the Daily Mail then. It’s the epitome of investigative journalism, donchaknow. It’s in that magnificent organ that you’ll find an astonishingly brief report about the alleged theft of “up to” 1.2 million BT Sport subscriber records, and the trading of them on the Dark Web. If true, a data breach that dwarfs the alleged TalkTalk hack by nearly nine-fold.

      Just cos you ain’t read about it, ain’t proof it ain’t happened.

      “Absence of evidence, is not evidence of absence”, as they say.

    • Bob2002

      Link to BT hack article(Google isn’t showing anything)?

    • FibreFred

      Oh Evan/Deduction/etc/etc you are the ulimate troll, now pulling a Russell https://en.wikipedia.org/wiki/Russell%27s_teapot

      Time for a break maybe?

    • Graeme

      There are bt sports accounts out there being sold as well as many other pay services

    • Data Analysis

      It would appear BT sports accounts have been hacked and sold at least according to the daily mail as posters pointed out.

      http://tinyurl.com/h8ak5m9

      I image there are full stories for each company somewhere on the Daily Mails website.

  7. dragoneast

    Not detracting anything from TalkTalk – idiots – but have we got 10% of the iceberg? Tiscali- and Pipex if I recall correctly before them, behind it? As a former Pipex subscriber I recall the mess of their infamous billing system “improvement”. A decade ago? But of course they’re all successful businessmen now, having found suckers TalkTalk to take on the liabilities, presumably with their blindfold on. Nobody knew anything, of course. TalkTalk, last man standing; holding the parcel when the music finally stops.

IMPORTANT: Javascript must be enabled to post (most browsers do this automatically). On mobile devices you may need to load the page in 'Desktop' mode to comment.


Comments RSS Feed

* Your comment might NOT appear immediately (the site cache re-syncs periodically) *
* Comments that break our rules, spam, troll or post via fake IP/proxy servers may be blocked *
Promotion
Cheapest Superfast ISPs
  • Origin Broadband £23.89 (*31.58)
    Up to 38Mbps, Unlimited
    Gift: None
  • Plusnet £24.99 (*33.98)
    Up to 38Mbps, Unlimited
    Gift: £50 Cashback
  • Vodafone £25.00
    Up to 38Mbps, Unlimited
    Gift: None
  • Virgin Media £26.00
    Up to 50Mbps, Unlimited
    Gift: None
  • Hyperoptic £26.00 (*35.00)
    Up to 100Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (1908)
  2. Broadband Delivery UK (1320)
  3. FTTP (1228)
  4. FTTC (1214)
  5. Politics (946)
  6. Openreach (931)
  7. Business (837)
  8. Statistics (763)
  9. Fibre Optic (751)
  10. Mobile Broadband (692)
  11. Wireless Internet (627)
  12. Ofcom Regulation (615)
  13. Virgin Media (575)
  14. 4G (574)
  15. FTTH (508)
  16. Sky Broadband (453)
  17. TalkTalk (430)
  18. EE (373)
  19. Security (311)
  20. 3G (269)
New Forum Topics
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules