TalkTalk fined record £400k over cyber attack
TalkTalk has been fined a record £400,000 by the Information Commissioner’s Office for failings over a cyber attack last year that affected more than 150,000 of its customers.
Fixed Line Telecommunications
1,994.59
15:44 15/11/24
FTSE 250
20,508.75
15:45 15/11/24
FTSE 350
4,453.56
15:45 15/11/24
FTSE All-Share
4,411.85
15:45 15/11/24
TalkTalk Telecom Group
96.90p
16:34 11/03/21
Following an in-depth investigation, the ICO found that the telecoms group could have prevented the hack if it had taken basic steps to protect customers’ information.
The watchdog said the attack, which took place between 15 and 21 October 2015, took advantage of technical weaknesses in the company’s systems, allowing the hackers to access the personal data of 156,959 customers.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
She said the record fine “acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers”.
The ICO’s investigation found that the attacker used a common and “well understood” technique known as SQL injection to access the data.
“Defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO said.
In addition, it said the company had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages, and the second was an attack launched between 2 and 3 September.
At 1415 BST, the shares were up 0.9% to 211.30p.