October 5, 2016 by

UK Telecom Giant TalkTalk Sees a Record Fine for Data Breach


TalkTalk, the telecom and internet service provider that saw a comprehensive hack in October 2015 has seen a record £400,000 fine (approx. $509,934) imposed by the UK government.

TalkTalk suffered a hack in October 2015 that saw the personal information and financial details of some 150,000 customers stolen during the security breach.

In the aftermath of the incident, a year later, the Information Commissioner’s Office in the UK revealed that an investigation had determined that the breach “could have been prevented if TalkTalk had taken basic steps to protect consumers’ information.”

Altogether, the attacker accessed the personal data of 156,959 customers. Stolen data included customers’ names, addresses, dates of birth, phone numbers and email addresses. The attacker also had access to bank account details and their sorting codes, in 15,656 cases.

In damning statements, Information Commissioner Elizabeth Denham said:

TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.

The notice also revealed details of the investigation, pointing to an underlying customer database that was carried over from TalkTalk’s acquisition of a different company. Three vulnerable pages were accessed, contained within the inherited database. TalkTalk was completely unaware of the vulnerable pages, since it did not properly scan this acquired infrastructure.

In a twist, the database software that proved to be outdated and hence vulnerable before being exploited – contained a fix. If implemented, the entire breach would have been avoided.

As with most other breaches, the attacker exploited the database with an SQL injection technique.

Meanwhile, TalkTalk has been fined nearly the maximum amount of a fine that can be levied by the ICO, at £500,000. The previous record for the highest-ever fine issued by the ICO was £350,000, toward a spam-calling company called Prodial which was behind 46 million automated spam calls.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

UK Includes Digital Forensics in £20 Million Cybersecurity Program for Schools

The UK Government has launched a £20 million initiative to encourage school children to enter a...

Read more arrow_forward

Report: Nearly Half(!) of all UK Businesses Struck by Cyberattacks

Nearly half of all UK businesses have suffered a cyberattack or a breach in 2016, according to an...

Read more arrow_forward

Mirai Botnet Malware Continues to Wreck Havoc Around the World

Hundreds of thousands of customers of UK telephone provider TalkTalk and the Post Office are without...

Read more arrow_forward