UK telecoms provider TalkTalk has been hit with a record £400,000 fine for having poor website security that led to the theft of the personal details of 157,000 customers.
TalkTalk was issued with the fine by the Information Commissioner’s Office (ICO) in the UK, which suggested that the company could have easily prevented the data breach.
TalkTalk was hit by a sustained cyberattack in October 2015. Within days, a 15-year-old schoolboy from Co Antrim in Northern Ireland was arrested for allegedly being involved in the breach.
The ICO said the attack on the company could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
‘TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease’
– ELIZABETH DENHAM
ICO investigators found that the cyberattack between 15 and 21 October took advantage of technical weaknesses in TalkTalk’s systems.
The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses.
In 15,656 cases, the attacker also had access to bank account details and sort codes, the ICO said.
It is understood the data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009.
“TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not, and we have taken action.”
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act.
A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.
The anatomy of an attack that could have been prevented
According to the ICO, the data was accessed through an attack on three vulnerable web pages within the infrastructure inherited from Tiscali.
It said TalkTalk failed to scan the infrastructure properly for possible threats.
TalkTalk was also unaware that the installed version of the database software was outdated and no longer supported by the vendor.
It didn’t know either that the software had been affected by a bug for which a fix was available.
The bug allowed the attacker to bypass access restrictions.
If the bug had been fixed, the attack would have been rendered impossible.
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.
On top of that, the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the web pages. A second attack was launched between 2 and 3 September 2015.
“In spite of its expertise and resources, when it came to the basic principles of cybersecurity, TalkTalk was found wanting.
“Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”