TalkTalk fined £400K for mistakes that led to 2015 hack

TalkTalk’s attempt to shake off its hack-smeared image has been dealt a major blow by the UK’s Independent Commissioner’s Office (ICO). The regulator has handed the company a record £400,000 fine for its security failings last year, which allowed attackers to steal the personal data of 156,959 customers. Of that number, 15,656 had their bank account numbers and sort codes taken. Information Commissioner Elizabeth Denham said the telecoms company, which offers broadband, TV and phone services, failed to implement “the most basic security measures” and “could have done more to safeguard its customer information.”

So what exactly happened? Well, the information was taken from a database obtained as part of TalkTalk’s Tiscali acquisition in 2009. According to the ICO, TalkTalk failed to investigate its new asset properly — three vulnerable webpages slipped through the cracks, because of outdated database software that was no longer supported by its creator. A patch had already been issued by the developer, but neither Tiscali or TalkTalk had applied it. “Had it been fixed, this (hack) would not have been possible,” the ICO claims. In the third week of October 2015, the attacker(s) then used a technique called SQL injection to obtain the data.

“When it came to the basic principles of cyber-security, TalkTalk was found wanting,” Denham said. “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

The hack has taken a hit on TalkTalk’s profits and subscriber numbers. To recover, the company is attempting a major reboot with new branding, packages and customer guarantees. But shaking its tarnished image could be easier said than done. As the Guardian reports, TalkTalk’s new, simplified tariffs — which bundle line rental for a single monthly fee — come at the expense of its legacy plans. Around half of its customers will be hit with price increases unless they switch to one of the new plans.

TalkTalk says it’s “listened hard” to customer feedback. “People are fed up of confusing packages and loud advertising, they’re frustrated with deals which shoot up mid contract, and they hate seeing the best deals saved for new customers,” Tristia Harrison, TalkTalk’s Consumer Managing Director said. Let’s hope they’ve listened just as hard to the ICO’s criticisms.