» ISP News » 

UK ISP TalkTalk Hit by HUGE £400,000 Fine for Personal Data Breach

Wednesday, October 5th, 2016 (2:04 pm) - Score 1,385

Ouch. The Information Commissioner’s Office (ICO) has today battered budget ISP TalkTalk with a “record fine” of £400,000 because of “security failings” that occurred during last October’s devastating personal data breach and cyber-attack.

The attack was the result of a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against their website (here), which ultimately resulted in masses of personal customer and financial data being stolen.

According to the ICO, the data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali UK in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure.

The ICO further states that TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. This database was also using outdated and unsupported software, which was affected by a known SQL bug that TalkTalk failed to fix.

Elizabeth Denham, Information Commissioner, said:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

In the end the hacker was able to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In another 15,656 cases, the attacker also had access to sensitive bank account details and sort codes.

At the time TalkTalk’s CEO, Dido Harding, was both prompt in reporting the incident and engaging with the public. However the ICO does not appear to have been in a very forgiving mood (much like the ISP’s own customers) and has today hit them with a large £400,000 fine.

However it’s hard to feel sorry for TalkTalk, especially since they had “two early warnings” that they were unaware of. The first was a successful SQL injection attack on 17th July 2015 that “exploited the same vulnerability in the webpages” and then a second attack was launched between 2nd and 3rd September 2015. Doh!

Elizabeth Denham added:

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.

Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

Mind you the fine pales in comparison to the tens of millions of pounds that TalkTalk has lost or expects to lose as a result of the incident, not least due to the cost of updating their systems and all of the subscribers whom understandably chose to abandon ship.

Since then a number of people, including several children, have been arrested as part of the related police investigation. At the end of last month a Westminster Court heard how Daniel Kelley (19), who was arrested in Llanelli (South Wales) at the end of last year on suspicion of blackmail, attempted to extort 465 Bitcoins (worth £216K) from TalkTalk following the devastating 2015 Cyber-Attack on their systems (here).

Daniel Kelley is also accused of carrying out similar attacks and making related blackmail demands against several other companies from around the world.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
15 Responses
  1. TheFacts says:

    20% early payment discount.

  2. john says:

    Good – £1000 was pathetic.

  3. FibreFred says:

    Lesson learnt?


  4. Billy says:

    So Talk Talk customers have £400,000 price increase. Yay for justice. That will make hackers think twice…

  5. Evan Crissall says:

    Great, now what about those BT hacks? The ones that saw “up to” 1.2 million BT Sport subscriber records stolen and traded on the Dark Web? Something truly meaty for Ms Denham to sink her gnasher teeth into. Or does she only “investigate” alleged breaches when it’s expedient for other reasons?

    Incidentally, a £400k fine is peanuts in the scheme of things.

    The media ambush against TalkTalk – ably assisted by ISPreview (!) has cost the company a reported £60 million. Totally dwarfing the paltry fine.

    Not to mention the assault on the group’s share price. In unison with the gangster-like short-selling of TalkTalk’s stock. With TalkTalk shares put on a rollercoaster ride from coordinated and sustained smears in the garbage meeja.

    Follow the money guys and gals. There’s plenty cash made from trashing a stock. Kerr-ching!

    You can kinda predict the next stage of this hacking psyop. Next blitz will be from the show-trial, when the twerps behind the ambush on TalkTalk’s reputation get to recycle the story yet again. Yaaaawn!

    1. FibreFred says:

      Evan Crissall,

      You keep referring to the BT Sport hacks in your various guises, yet I’ve not seen anything on the Internet about them?

      I think last time you mentioned them you said BT had hushed up all of the media and removed any evidence from Google

    2. Evan Crissall says:

      You’re working late tonight, FibreFred, on this forum and no doubt others! What does one earn these days as a plausibly-deniable “Online Perception Management Operative” ? Don’t bother answering. Doubtless Rule #1 in the Shill Rulebook is never admit you’re a Shill!

    3. New_Londoner says:

      Welcome back from Liverpool Evan!

      You omitted to mention the TalkTalk hack was its fourth in a year, and the final one highlighted really poor data storage practices – it was very careless in the way it handled customer data.

      As for any other incidents with other companies, they (1) have no bearing on the TalkTalk case and (2) still need to be proven. Pointing the finger elsewhere is a classic Dido tactic (and is irrelevant), as is making things up if the facts rather inconveniently don’t fit.

  6. captain.cretin says:

    I must be a shill as well, because I havent heard a word about BT Sport being hacked.

    I HAVE heard of the jockey Federation being hacked – and blaming it on the high street banks instead of their moronic clients failing tp chang their bank details, passwords and accounts; like every other victim of hacking has to do.

    1. Evan Crissall says:

      You’ll have to read the Daily Mail then. It’s the epitome of investigative journalism, donchaknow. It’s in that magnificent organ that you’ll find an astonishingly brief report about the alleged theft of “up to” 1.2 million BT Sport subscriber records, and the trading of them on the Dark Web. If true, a data breach that dwarfs the alleged TalkTalk hack by nearly nine-fold.

      Just cos you ain’t read about it, ain’t proof it ain’t happened.

      “Absence of evidence, is not evidence of absence”, as they say.

    2. Bob2002 says:

      Link to BT hack article(Google isn’t showing anything)?

    3. FibreFred says:

      Oh Evan/Deduction/etc/etc you are the ulimate troll, now pulling a Russell https://en.wikipedia.org/wiki/Russell%27s_teapot

      Time for a break maybe?

    4. Graeme says:

      There are bt sports accounts out there being sold as well as many other pay services

    5. Data Analysis says:

      It would appear BT sports accounts have been hacked and sold at least according to the daily mail as posters pointed out.


      I image there are full stories for each company somewhere on the Daily Mails website.

  7. dragoneast says:

    Not detracting anything from TalkTalk – idiots – but have we got 10% of the iceberg? Tiscali- and Pipex if I recall correctly before them, behind it? As a former Pipex subscriber I recall the mess of their infamous billing system “improvement”. A decade ago? But of course they’re all successful businessmen now, having found suckers TalkTalk to take on the liabilities, presumably with their blindfold on. Nobody knew anything, of course. TalkTalk, last man standing; holding the parcel when the music finally stops.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
New Forum Topics
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3667)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1501)
  9. Statistics (1430)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1196)
  13. Fibre Optic (1184)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact