View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 5, 2016updated 25 Oct 2016 1:32pm

ICO hits TalkTalk with record fine

Fine issued as a warning to other companies that cyber security is not an IT issue, but a boardroom issue.

By James Nunns

TalkTalk has been hit with a record fine after it let attackers succeed “with ease”.

The fine of £400,000 comes in response to the theft of the personal data of around 157,000 customers in October 2015.

Imposed by the Information Commissioner’s Office (ICO), the fine is due to the company’s failure to take basic steps to protect customer information.

The ICO found from its investigation that TalkTalk hosted three webpages that were vulnerable to SQL injections.

A failure to enforce proper security on its own website led to the company nearly 16,000 cases of the attacker being able to steal bank account details.

The Information Commissioner, Elizabeth Denham, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

Information Commissioner Elizabeth Denham stopped short of issuing TalkTalk with the maximum fine.

Information Commissioner Elizabeth Denham stopped short of issuing TalkTalk with the maximum fine.

One finding from the report highlighted that TalkTalk had failed to assess the IT of Tiscali for possible threats when it was purchased in 2009. This failing lead to the database software being out of date and vulnerable to SQL injection.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The telecoms company also ignored the warning signs which were flashing after similar cyber attacks earlier in 2015.

Although the fine of £400,000 is the highest issued by the ICO to date it falls short of the maximum £500,000, but the real cost of the breach is elsewhere.

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: “I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances.  Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer.

“However, the real loss to TalkTalk is far greater.  It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks.  In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.

“The lesson to other organisations is crystal clear – data is the crown jewels of your business; treat it with the utmost respect, secure it in every way possible both from malicious actors and inadvertent loss or misuse by employees and subcontractors.  You are responsible to your employees, customers and suppliers to keep their data safe from the second it is collected.”

Denham said that while hacking is wrong, it is not an excuse for companies to “abdicate their security obligations”.

The Commissioner went on to say that the fine acts as a warning to other companies that cyber security is not an IT issue, but that it is a boardroom issue.

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.