UK Telecom Giant TalkTalk Sees a Record Fine for Data Breach


TalkTalk, the telecom and internet service provider that saw a comprehensive hack in October 2015 has seen a record £400,000 fine (approx. $509,934) imposed by the UK government.

TalkTalk suffered a hack in October 2015 that saw the personal information and financial details of some 150,000 customers stolen during the security breach.

In the aftermath of the incident, a year later, the Information Commissioner’s Office in the UK revealed that an investigation had determined that the breach “could have been prevented if TalkTalk had taken basic steps to protect consumers’ information.”

Altogether, the attacker accessed the personal data of 156,959 customers. Stolen data included customers’ names, addresses, dates of birth, phone numbers and email addresses. The attacker also had access to bank account details and their sorting codes, in 15,656 cases.

In damning statements, Information Commissioner Elizabeth Denham said:

TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.

The notice also revealed details of the investigation, pointing to an underlying customer database that was carried over from TalkTalk’s acquisition of a different company. Three vulnerable pages were accessed, contained within the inherited database. TalkTalk was completely unaware of the vulnerable pages, since it did not properly scan this acquired infrastructure.

In a twist, the database software that proved to be outdated and hence vulnerable before being exploited – contained a fix. If implemented, the entire breach would have been avoided.

As with most other breaches, the attacker exploited the database with an SQL injection technique.

Meanwhile, TalkTalk has been fined nearly the maximum amount of a fine that can be levied by the ICO, at £500,000. The previous record for the highest-ever fine issued by the ICO was £350,000, toward a spam-calling company called Prodial which was behind 46 million automated spam calls.

Image credit: Pixabay.