Cyber-attack could have been prevented if TalkTalk had taken basic steps - ICO
TalkTalk has been fined £400,000 by the ICO for security failings that led to its system being hacked and the theft of customer data.
In a damning statement the ICO found that an attack on the company last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
ICO investigators found that the cyber-attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems.
The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. It was accessed through an attack on three vulnerable webpages within the inherited infrastructure.
TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
The telecoms company was not aware that the installed version of the database software was outdated and no longer supported by the provider.
The company said it did not know at the time that the software was affected by a bug – for which a fix was available.
The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible, the ICO added.
The commissioner also said the company had two early warnings that it was unaware of, an attack on 17 July 2015 that exploited the same vulnerability in the webpages.
A second attack was subsequently launched between 2 and 3 September 2015.
The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act.
A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.