British broadband provider TalkTalk has been slapped with a record £400,000 fine ($509,000) for security failings that led to the company being hacked in October 2015. The Information Commissioner's Office levied the fine saying the much-publicised cyberattack in which thousands of customers' personal details were stolen could have been prevented by the company if it had taken basic steps to safeguard its customers' information.
The attack, which took place between 15 and 21 October last year saw the theft of almost 157,000 customers' details, including names, addresses, dates of birth, phone numbers and email addresses. The attacker also accessed bank account details and sort codes in a little over 15,600 cases.
"TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham said in a statement. "Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
TalkTalk said the company has "cooperated fully" with the ICO and while this is a "disappointing decision", it does respect the role of the ICO in upholding the privacy of customers.
"During a year in which government data showed nine in 10 large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset," the company said in a statement. "This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.
"As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time."
The fine is the largest yet levied by the ICO which could have imposed a maximum fine of £500,000. The previous highest fine handed by the UK's data privacy regulator was £350,000 against Prodial earlier this year after making 46 million nuisance calls.
According to an in-depth investigation by the ICO, the data was taken from an underlying customer database that was part of the company's acquisition of Tiscali's UK operations in 2009. The watchdog said the data was accessed through an attack on three vulnerable webpages in the "inherited infrastructure".
"TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information," the ICO said.
Unaware that the installed version of the database software was outdated and was no longer supported by the provider, TalkTalk said it did not know at the time that a bug - for which a fix was available - was affecting the software, the ICO said.
"The bug allowed the attacker to bypass access restrictions," the ICO noted. "Had it been fixed, this would not have been possible." Using a well-known hacking technique known as SQL injection, the attacker was able to access the data.
The company was also criticised for its failure to take basic security measures to protect and fix its software and data storage despite two prior, similar cyberattacks earlier in 2015.
"In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting," Denham said. "Today's record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant."
In May, TalkTalk revealed that the much-publicised attack cost the firm around £42m and 101,000 subscribers in the third quarter of 2015.
A criminal investigation by the Metropolitan Police is running separately from the ICO's investigation. Six people under 21 years old have been arrested in connection with the alleged hack as part of the police investigation so far.