(Image Credit: iStockPhoto/Stephen Martin)
If there’s an example to be made of the need to keep the data of your users safe, it’s that of TalkTalk. The UK ISP suffered a cyber attack last October which resulted in masses of personal customer and financial data being stolen.
Under the law you must publicly disclose such a breach where personal information has been leaked or face the wrath of the EU courts. While much lower than it would have been had TalkTalk not disclosed the hack, the Information Commissioner’s Office (ICO) of the UK has fined the ISP with a “record” £400,000 to ensure other companies bolster the security which protects their customers’ data.
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” said Elizabeth Denham, Information Commissioner. “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The attack which compromised the ISP’s systems was a combination of a Distributed Denial of Service (DDoS) combined with a SQL Injection exploit. Data was taken from a customer database that was part of TalkTalk’s acquisition of Tiscali back in 2009 – the attack being targeted at three vulnerable web pages from their infrastructure.
Personal data of 156,959 customers was leaked in the hack, which leaked names, addresses, phone numbers, dates of birth, and email addresses. In further 15,656 cases, the hacker gained access to bank account details and sort codes.
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” continued Denham. “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Prior to its major breach, TalkTalk received two smaller attacks which exploited the same vulnerability and should have been a warning to update its systems.
Beyond the embarrassment of the attack, TalkTalk is expected to lose tens of millions of pounds after damage to its brand causing subscribers to abandon the ISP. Several individuals were arrested in connection with the attack, including 19 year old Daniel Kelley who attempted to extort 465 Bitcoins (worth £216K) from TalkTalk and has been accused of carrying out similar attacks and making blackmail demands against several other companies.
“I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer,” comments Nigel Hawthorn, chief European spokesperson at Skyhigh Networks. “However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.”
Do you believe TalkTalk’s fine is deserved? Share your thoughts in the comments.
