The Information Commissioner’s Office (ICO) in the UK has imposed a record fine of £400,000 ($509,000) on British broadband provider TalkTalk for failing to protect personal details of thousands of customers from hackers.
Last year, TalkTalk was hacked between 15 and 21 October, and during this much-publicized cyberattack details of over 157,000 customers’ were stolen. According to ICO, it was possible to prevent this cyberattack by taking proper steps but TalkTalk failed to do so. Hackers stole the names, dates of birth, addresses, phone numbers and email addresses of customers.
In a statement, ICO Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The ICO’s decision to impose a fine on TalkTalk is expected to put a pressure on companies to review their online security procedures, and take proper steps to protect confidential data from hackers.
TalkTalk said it is disappointed with ICO’s decision, although it respects the role of the ICO in upholding the privacy of customers. The company insisted that had been punished for being “open and honest” with its 4 million customers about the breach.
TalkTalk, in a statement, said: “During a year in which government data showed nine in 10 large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset.”
“This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.”
“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”
The ICO has the power to impose a maximum fine of £500,000. The fine imposed on TalkTalk is the largest so far levied by ICO. The previous highest fine was £350,000 imposed on Prodial for making 46 million nuisance calls.
In 2018, new EU regulations will come into force and will provide ICO the power to impose fines up to 4% of a company’s global turnover.
ICO carried out a detailed investigation of TalkTalk hacking incident and found that the data was stolen from an underlying customer database. This database was part of TalkTalk’s acquisition of Tiscali’s UK operations. This acquisition was completed in 2009. According to ICO, TalkTalk had no idea that the installed version of the database software was outdated and the provider was no longer supporting it. The software was being affected by a bug—for which a fix was available—but TalkTalk was not aware of it.
“TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible,” the ICO said.
Attackers used SQL injection hacking technique to access the data.
Experts also criticized the TalkTalk for not taking basic security measures to protect the data and software despite experiencing two similar hacking attacks in 2015.
The October attack cost the company about £42 million, according to TalkTalk.
The Metropolitan Police is currently investigating the case, and has arrested six people in connection with the alleged hack.