Teal blue graphic

ICO issues record fine for TalkTalk breach

The ICO has issued its largest ever fine of £400,000 to TalkTalk in relation to the well-publicised cyber attack last October. The fine serves as a reminder to businesses of the importance of ensuring adequate technical security measures are in place to protect personal data. 

Background

The cyber attack occurred between 15 and 21 October 2015. Six years earlier, TalkTalk acquired Tiscali. Tiscali’s infrastructure included certain webpages that were still available in 2015 and that allowed access to an underlying database of customer details. The October 2015 attack involved a hacker carrying out an SQL injection attack, where SQL commands are 'injected' into a webpage in order to gain access to resources or data. This particular attack enabled the hacker to exfiltrate data from the database. The hacker accessed personal data relating to a total of 156,959 customers on the database, including the bank account number and sort code of 15,656 of those customers. 

TalkTalk notified the attack to the ICO on 22 October 2015 and the breach hit headlines the following day. There followed an extensive investigation by the ICO into the breach and plenty of adverse publicity as major news outlets worldwide covered the attack. 

The breach

The ICO found that TalkTalk had breached principle 7 of the Data Protection Act 1998. This principle requires that data controllers must take appropriate technical and organisational security measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In other words, businesses handling personal data must take reasonable steps to keep it secure. The ICO considered that TalkTalk had failed to do so. In particular: 

  • TalkTalk should have been aware of the legacy webpages acquired from Tiscali and failed to remove them or make sure they were secure. 
  • The database software in use was an outdated version of MySQL. The software was affected by a bug which had allowed the hacker to gain access to the database. A bug fix had been available since 2012 but TalkTalk had failed to take advantage of it. 
  • TalkTalk had failed to take appropriate monitoring activities to discover vulnerabilities. In fact, there had been two previous SQL injection attacks earlier in 2015, but TalkTalk had failed to pick up on these because they had not monitored the webpages. 
  • TalkTalk had the financial and staffing resources available to take far more robust measures to protect personal data. Therefore, there was no good reason why such measures were not taken. 
  • The individuals whose data had been taken would be distressed by concerns about what had happened to their data as a result of the breach. The 15,656 people whose bank details had been accessed were potentially subject to further damage as a result of fraud. 

The fine

The fine of £400,000 represents the ICO’s largest fine levied so far. The potential maximum fine the ICO is entitled to issue is currently £500,000, although this is due to increase under the General Data Protection Regulation. The fine reflects the severity of the incident and serves as a timely reminder of the importance of keeping personal data secure. 

How can you avoid the same risks?

Businesses should make sure that all software used is up-to-date and bug fixes are implemented as soon as possible. In acquisitions, thorough due diligence should be carried out to identify legacy webpages and systems and establish what updates are required to ensure these are appropriately secured.

Contributor: Emma Fox

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Insights & events View all