The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015. As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.
The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.
In nearly 16,000 cases, the attacker was able to steal bank account details. Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection. TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.
The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website. Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”. These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.
The next Amicus ITS cyber security event will be held on 24th November 2016. Further details will be posted on the main Amicus ITS events page