(Image Credit: iStockPhoto/Stephen Martin)
The TalkTalk breach offers a stark reminder of why companies must protect customer data. Last October, the UK internet service provider suffered a cyberattack that exposed large volumes of personal and financial information belonging to its customers.
Under data protection law, organizations must publicly disclose breaches that expose personal information. After investigating the incident, the UK Information Commissioner’s Office (ICO) issued TalkTalk a record fine of £400,000 to reinforce the need for stronger safeguards around customer data.
“TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease,” said Elizabeth Denham, Information Commissioner. “Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The attackers combined a Distributed Denial of Service (DDoS) assault with a SQL injection exploit. They targeted three vulnerable web pages connected to a customer database that originated from TalkTalk’s 2009 acquisition of Tiscali.
The breach exposed personal data for 156,959 customers, including names, addresses, phone numbers, dates of birth, and email addresses. In 15,656 cases, the attackers also accessed bank account details and sort codes.
“In spite of its expertise and resources, when it came to the basic principles of cybersecurity, TalkTalk was found wanting,” Denham added. “Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Before the major breach, TalkTalk suffered two smaller attacks that exploited the same vulnerability. Those incidents should have prompted updates to their systems but did not prevent the larger compromise.
Beyond regulatory penalties and reputational damage, TalkTalk faced substantial financial consequences. The company expected to lose tens of millions of pounds as customers left the service. Several people were arrested in connection with the attack, including 19-year-old Daniel Kelley, who attempted to extort TalkTalk for 465 bitcoins (approximately £216,000 at the time) and has been accused of carrying out similar attacks and making blackmail demands against other firms.
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, commented: “I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer. However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80 million in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.”
Do you believe TalkTalk’s fine is deserved? Share your thoughts in the comments.