Telecoms company TalkTalk has been fined a record £400,000 by the UK’s information and privacy watchdog following last October’s hacking of 156,000 customers’ data.
In a damning statement, the Information Commissioner’s Office says hackers were able to access the data, which included addresses, contact details and banking information “with ease”.
According the ICO, the hack was possible because of three vulnerable webpages within a system TalkTalk inherited through its acquisition of Tiscali’s UK operations in 2009.
TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider.
The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The incident is believed to have seriously damaged TalkTalk’s brand and its attractiveness to a possible buyer.