TalkTalk has been hit with a record £400,000 fine for the cyber attack in 2015 that exposed personal details of more than 150,000 customers.
The new information commissioner, Elizabeth Denham, said the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
“Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” said Denham, who took up her post in July.
“The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages in the inherited infrastructure,” it said.
“TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
“TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
“The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data.”
Denham said: “In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.”
“The record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
By Bryan Glick