TalkTalk has been hit by a record-breaking £400,000 fine, after security failings allowed hackers to publish customers’ personal data in October last year.
The fine is the biggest ever imposed by the Information Commissioner’s Office (ICO) but, according cyber security expert Mark Skilton, it is unlikely to have a lasting effect on TalkTalk’s finances.
The hack was found to be a result of TalkTalk failing to take basic steps to protect customers’ information and resulted in attackers being able to access the personal information of over 150,000 customers.
The hackers used a well-known technique to penetrate TalkTalk’s security defences. The ICO stated the “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data.”
“On top of that, the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the web pages. A second attack was launched between 2 and 3 September 2015.”
TalkTalk chief executive Dido Harding admitted that last October was a challenging time for the company, and said she was working hard to regain the trust of customers.
“Throughout the cyber attack, we worked hard to put our customers first, and we know that they have appreciated our efforts and our honesty throughout.”
Earlier this year, TalkTalk revealed the attack had cost the company £42 million and that over 100,000 customers had left in the aftermath of the attack.
In a statement, TalkTalk said: “TalkTalk has co-operated fully with the ICO at all times and, while this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.”
A police investigation of the data theft is in still in progress, and has resulted in the arrests of six people so far.