TalkTalk fined £400,000 for security failings and data breach

TalkTalk, the telecom service provider of UK, has been fined a record £400,000 for the security failing that allowed a data breach during the cyber attack last October. The biggest fine ever issued by the Information Commissioner's Office, comes after an in-depth investigation by the ICO into the devastating cyber attack that happened during between 15^th and 21^st October of last year, when hackers stole personal data of nearly 157,000 customers. That included addresses, dates of birth, besides personal details. The hackers accessed successfully, in the case of 15,656 cases, the customer's bank account details and sort codes!

The investigators point out that hackers took advantage of a technical weakness in the system, specifically on 3 vulnerable webpages, that was part of the infrastructure of Tiscali, which TalkTalk acquired during 2009. ICO found that it was the provider's failure to scan these pages for possible threats and to detect the presence of a bug, which had a fix available, that allowed unauthorised access to a database holing important customer information.

During an investigation of talkTalk.co.uk into latency, the cyber attack was detected on 21^st October, 2015. A ransom demand was received by TalkTalk and it took a number of its websites offline . It alerted the police, and the following day its customers, about the cyber attack.

Subsequently, over the next 3 months TalkTalk lost some 100,000 of its customers, which cost the provider an estimated £60 million. But the telecom provider was criticised for not permitting customers to exit their contracts without a cancellation fee, but the company did offer customers upgrades to their packages for free.

Elizabeth Denham, Information Officer, commented that TalkTalk should have done and could have done more to safeguard their customer information database. As it did not, ICO has take action, she added. The Information Commissioner 'found wanting' of TalkTalk, when it came to basic principles of cyber security, despite its expertise and resources. Elizabeth Denham accusing remarked that the record fine is a warning to others that cyber security cannot be viewed as an IT issue, but as a boardroom issue.