TalkTalk has been fined a record $510,000 by the Information Commissioner’s Office(ICO) for failings over a cyber attack last year that affected more than 150,000 of its users.
Following an in-depth investigation, the ICO found that the telecoms group could have prevented the hack if it had taken basic steps to protect customers’ information.
The watchdog said the attack, which took place between 15-21 October 2015, took advantage of vulnerability in the company’s systems, that helps the hackers to access the personal data of 156,959 customers.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
“Acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers”, she added.
The ICO’s investigation found that the attacker used a common and “well understood” technique known as SQL injection to access the data.
“Defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO said.
The company also got two early warnings that it was unaware of. The first was a successful SQL injection attack on 17-July-2015 that exploited the same vulnerability in the webpages, and the second was an attack launched between 2 and 3 September.