A data breach by the UK ISP TalkTalk back in 2015 has now resulted in the company being slapped with a £400,000 fine from the national data protection agency. The penalty is quite hard-hitting for the ICO to hand out, although it is still £100K shy of the current maximum it can impose.
The breach for which this fine has been levied, took place in October 2015. Data from nearly 157,000 TalkTalk customer accounts was stolen from its website by hackers. Shortly after, police conducted arrests of two teenage boys involved with the hack, but the investigation still remains ongoing. A total of six arrests have been made, according to the BBC.
The size of the data breach was not as large as was initially feared, and the number of TalkTalk customers whose bank account or partial credit card details were taken was even smaller (somewhere in the tens of thousands). However, what led to widespread condemnation was the ease with which hackers were able to penetrate the ISP’s security systems and make off with sensitive data.
The hackers used an SQL injection targeted at vulnerable webpages which TalkTalk had taken over after its acquisition of another UK ISP, Tiscali. Two earlier attacks targeting the same vulnerability had apparently been ignored by TalkTalk in the same year, which probably explains the harsh degree of the fine being levied.
In a statement on the ICO webpage’s press release, Information commissioner Elizabeth Denham, after issuing the fine, said,
TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.
Data breach penalties are poised to step up severely in Europe when the new General Data Protection Directive comes into force in May 2018. At that point maximum fines will rise to up to four per cent of a company’s global turnover (or €20 million, if larger). The logic behind this move is forcing companies to prioritize securing customer data. About the size of the fine, Elizabeth added,
Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.
Under the new European law, companies collecting customer data or processing sensitive data at a large scale will also be required to appoint a Data Protection Officer, whose responsibility it will be to report any data breaches to the relevant national DPA. The GDPR puts the onus on companies to report data breaches quickly, in most cases within 72 hours of becoming aware of it. The UK’s negotiations of compliance with European law after it leaves the European Union are a kind of gray area, following the Brexit vote this summer, but any UK companies with customers in Europe would still need to comply with the GDPR.