TalkTalk fined £400,000 for security breach
UK ISP TalkTalk hit the headlines last year for a data breach that resulted in the theft of personal data relating to over 150,000 customers.
Today the Information Commissioner's Office announced that it has issued the company with a record £400,000 (around $510,000) fine for what it called a failure to implement basic security measures.
"In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting," says Information Commissioner Elizabeth Denham. "Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers".
The data theft arose from out of date database software used to store details of customers inherited from the 2009 takeover of a rival firm, Tiscali. As a result the attacker was able to steal the customers' details by attacking three vulnerable web pages, using an SQL injection.
Security experts, however, feel that the company may have got off lightly, at least in financial terms. "It may be a record fine but £400,000 is quite light considering the depth of the incident," says Jonathan Martin, EMEA operations director at threat intelligence company Anomali. "The knock on impact to the business is really where the after effects of this incident have been felt. Since this breach we've seen many more take place, and organisations need to sit up and take note. A failure to implement basic cyber security measures and patch known vulnerabilities allowed hackers to access TalkTalk's network far too easily. It's a situation which is an unacceptable lapse for any organisation. Organisations must take steps to simplify processes to enable them to identify and distil internal, as well as external, security data into actionable insights, in order to activate response plans. Prevention is far better than the business and reputational damage of any security incident".
"I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer," Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, says. "However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents".
In an official statement TalkTalk itself says,
During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.
The moral for all companies though is that customer data is a valuable commodity and safeguarding it is something that needs to be taken seriously.