TalkTalk on receiving end of record £400,000 ICO fine for failing to prevent October 2015 cyber attack
Telecoms company TalkTalk has been issued with a record £400,000 fine by the Information Commissioner’s Office (ICO) for security failings that allowed a cyber attacker to access customer data “with ease”. The ICO’s in-depth investigation found that an attack on the company last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
ICO investigators found that the cyber attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of no less than 156,959 customers including their names, addresses, dates of birth, phone numbers and e-mail addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic of cyber security measures allowed hackers to penetrate the company’s systems with ease. Yes, hacking is wrong, but that’s not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable web pages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats, and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
TalkTalk wasn’t aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it didn’t know at the time that the software was affected by a bug for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had that bug been fixed, this bypass action wouldn’t have been possible.
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood. Defences exist and TalkTalk “ought to have known it posed a risk” to its data, the ICO investigation found.
On top of that, the company also had two early warnings of which it was unaware. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the web pages. A second attack was launched between 2 and 3 September 2015.
The Information Commissioner added: “In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting. This record fine acts as a warning to others that cyber security isn’t an IT issue. Rather, it’s a Boardroom issue. Companies must be diligent and vigilant. They must be so not only because they have a duty under law, but because they have a duty to their customers.”
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data for which it was responsible. This is a breach of the seventh principle of the Data Protection Act.
A criminal investigation by the Metropolitan Police Service has been running separately to the ICO’s investigation.
Reaction from academia and the security business sector
Speaking about the news, Mark Skilton (Professor of Practice at Warwick Business School and an expert on cyber security) commented: “Although this may be called a record fine at £400,000, it’s insignificant to the turnover and customer base of TalkTalk and little more than a sting in the tail for TalkTalk’s finances. Even by factoring-in the reported numbers of just shy of 157,000 personal details and, of those, the 16,000 individuals who had bank details stolen, it still only equates to £2.50 per head or £25 per person who lost banking data. The fine seems to be ‘proportionate’ to the impact, but shows little regard for the possible risks and lack of due diligence of a company with four million subscribers.”
Skilton continued: “Even if liability insurance may have covered the possible losses of those customers, it still raises questions over digital risk governance and how necessary it is for corporates to take it seriously. The money from the £400,000 fine could have been invested in better security staff in the organisation and further investment in cyber monitoring and response detection, but it raises the question over current legal punitive measures that focus on specific losses as opposed to corporate responsibilities.”
In conclusion, Skilton told Risk UK: “TalkTalk seems to have been let off lightly here even if its argument is that the millions of customers involved were not at risk. A strong message and fines approach needs to be in place for corporates to manage and treat cyber security as a real corporate risk and not just a customer data mismanagement issue. It’s far more important than the latter.”
Sensitivity of unmasked data
Jes Breslaw, EMEA director of strategy at Delphix, observed: “The TalkTalk hack stands as a reminder of the sensitivity of unmasked data. Customer-sensitive data such as credit card numbers and bank details are a lucrative money-spinner for criminals operating on ‘The Dark Web’. In this instance, the hack went unnoticed for a prolonged period, increasing the value of the data to fraudsters and triggering a hefty fine. Had the European Union’s General Data Protection Regulation (GDPR) already been in operation, that fine could have been somewhere in the region of £70 million, based on 4% of TalkTalk’s annual worldwide turnover for the year in question.”
Breslaw went on to state: “In either case, the key thing is that organisations holding financial and sensitive customer data need to mask it to prevent repetitions of this kind of breach. Doing so will limit the risk to brand reputation, as well as ensuring customers don’t find themselves facing unexpected instances of fraud and identity theft.”
In addition, Breslaw explained: “The problem of masking both production and test data is that it has traditionally been an expensive and complex task. In order to overcome this barrier, companies need to consider leveraging technologies, such as data virtualisation, which allow them to scale data masking.”
Prioritising cyber security
Also commenting on TalkTalk’s fine, Mishcon de Reya’s cyber security lead Joe Hancock said: “The fine against TalkTalk is the biggest issued by the ICO to date as a result of the company not implementing basic levels of protection. It’s clear that perhaps security hasn’t always been prioritised in the way it is now. However, £400,000 is still a relatively small fine compared to the potential fines that will be levied under the forthcoming GDPR.”
Hancock continued: “We expect to see further examples made of companies who fail to take cyber security as seriously as they would other risks. Implementing basic cyber security protections will go a long way towards protecting customers’ data and company reputations.”
Hancock also outlined: “The question now remains as to whether the responsibility for the fine is with TalkTalk itself, or should it be shared between their service providers and suppliers? These issues are likely to become more pressing as the size of fines increases under the GDPR.”