TalkTalk Penalised With A Record Fine

TalkTalk has been hit with a record £400,000 fine for the security failings that led to the company being hacked in October 2015.

The Information Commissioner’s Office levied the fine saying that the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information”.

The hack resulted in the attacker accessing the personal information of more than 150,000 customers of the internet service provider, including sensitive financial data for more than 15,000 people.

The information commissioner, Elizabeth Denham, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

The technique used by the attacker, called SQL injection, has been well known in security circles for almost 20 years. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO said. “On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.”

The amount the ICO can fine companies for serious breach of data protection obligations is capped at £500,000, leaving TalkTalk’s fine almost as large as it could possibly receive. Repeat offenders can also be issued “enforcement notices” under the same legislation, which entail the ICO requiring a business to take particular steps to prevent a re-occurrence.

The previous highest fine ever issued by the ICO was £350,000, against Prodial, a spam-calling company responsible for over 46 million automated nuisance calls.

In a statement, TalkTalk said: “TalkTalk has co-operated fully with the ICO at all times and, while this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.

“During a year in which the government data showed nine in 10 large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.

“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”

In September this year, Daniel Kelley, 19, was charged with hacking the company. Kelley appeared at Westminster magistrates court accused of demanding 465 bitcoins, then worth over £200,000, from the company after allegedly carrying out the attack.

Data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009, the ICO said. It added that the data was accessed through an attack on three vulnerable webpages in the “inherited infrastructure”.

TalkTalk was said to have failed to properly scan this infrastructure for possible threats and was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.

TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider, according to the ICO. The company said it did not know at the time that the software was affected by a bug – for which a fix was available, the watchdog said, adding: “The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.”

When the cyber-attack was revealed, TalkTalk said it did not know how many customers were affected, raising concerns that hundreds of thousands of customers could be at risk. It had been criticised for failing to to take precautions after being hacked twice in the recent past.

In December 2014, the company saw customers hit by India-based scam calls after a data breach. It happened gain in again in February 2015, when TalkTalk customers were subjected to further scams, despite the company describing the information stolen in the breach as limited and non-sensitive. TalkTalk Mobile customers were also affected by an attack on Carphone Warehouse systems in which the personal information of up to 2.4 million customers was stolen.

Guardian:

 

« Secret Arrest Of A National Security Agency Contractor
Cyber Security & The US Presidential Race »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

VMworld

VMworld

VMworld is a global conference for virtualization and cloud computing, including associated security issues.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Pyramid Computer

Pyramid Computer

Pyramid Computer provides custom enterprise solutions for Industrial PC, Imaging, Network, Security, POS, Indoor Positioning and Automation.

Microsoft Security

Microsoft Security

Microsoft Security helps protect people and data against cyberthreats to give you peace of mind. Safeguard your people, data, and infrastructure.

National Association of Software and Services Companies (NASSCOM)

National Association of Software and Services Companies (NASSCOM)

NASSCOM is a trade association of Indian Information Technology and Business Process Outsourcing industry. Areas of activity include cyber security.

Nexthink

Nexthink

Using our solution, hundreds of IT departments effectively balance offering a productive and enjoyable end-user experience with making the right decisions to secure and transform the digital workplace

SentryBay

SentryBay

SentryBay is a real-time data security company developing technology for PC, mobile, the cloud and IoT.

Tessian

Tessian

Tessian (formerly CheckRecipient) is a next-generation email security platform that helps enterprises counteract human error and significantly reduce the risk of data loss.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

Valid Network

Valid Network

Valid Network DSP is blending traditional cyber security methodologies with blockchain transactions to achieve trust, internal and federated between organizations and stake holders.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

Oak9

Oak9

The oak9 platform analyzes infrastructure as code (IaC) and builds security into cloud native applications so they are secure and compliant by design.

Zorus

Zorus

Zorus provides best-in-class cybersecurity products to MSP partners to help them grow their business and protect their clients.