» ISP News » 
Sponsored Links

UK ISP TalkTalk Hit by HUGE £400,000 Fine for Personal Data Breach

Wednesday, Oct 5th, 2016 (2:04 pm) - Score 1,425

Ouch. The Information Commissioner’s Office (ICO) has today battered budget ISP TalkTalk with a “record fine” of £400,000 because of “security failings” that occurred during last October’s devastating personal data breach and cyber-attack.

The attack was the result of a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against their website (here), which ultimately resulted in masses of personal customer and financial data being stolen.

According to the ICO, the data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali UK in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure.

The ICO further states that TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. This database was also using outdated and unsupported software, which was affected by a known SQL bug that TalkTalk failed to fix.

Elizabeth Denham, Information Commissioner, said:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

In the end the hacker was able to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In another 15,656 cases, the attacker also had access to sensitive bank account details and sort codes.

At the time TalkTalk’s CEO, Dido Harding, was both prompt in reporting the incident and engaging with the public. However the ICO does not appear to have been in a very forgiving mood (much like the ISP’s own customers) and has today hit them with a large £400,000 fine.

However it’s hard to feel sorry for TalkTalk, especially since they had “two early warnings” that they were unaware of. The first was a successful SQL injection attack on 17th July 2015 that “exploited the same vulnerability in the webpages” and then a second attack was launched between 2nd and 3rd September 2015. Doh!

Elizabeth Denham added:

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.

Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

Mind you the fine pales in comparison to the tens of millions of pounds that TalkTalk has lost or expects to lose as a result of the incident, not least due to the cost of updating their systems and all of the subscribers whom understandably chose to abandon ship.

Since then a number of people, including several children, have been arrested as part of the related police investigation. At the end of last month a Westminster Court heard how Daniel Kelley (19), who was arrested in Llanelli (South Wales) at the end of last year on suspicion of blackmail, attempted to extort 465 Bitcoins (worth £216K) from TalkTalk following the devastating 2015 Cyber-Attack on their systems (here).

Daniel Kelley is also accused of carrying out similar attacks and making related blackmail demands against several other companies from around the world.

By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
Gift: None
NOW £25.00
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
Gift: None
Community Fibre UK ISP Logo
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
Gift: None
Hey! Broadband UK ISP Logo
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5706)
  2. BT (3562)
  3. Politics (2595)
  4. Openreach (2340)
  5. Business (2316)
  6. Building Digital UK (2273)
  7. FTTC (2060)
  8. Mobile Broadband (2036)
  9. Statistics (1825)
  10. 4G (1722)
  11. Virgin Media (1671)
  12. Ofcom Regulation (1490)
  13. Fibre Optic (1422)
  14. Wireless Internet (1415)
  15. FTTH (1383)

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact