TalkTalk has been fined a record £400,000 for security breaches that resulted in the identity theft of nearly 157,000 customers.
A cyberattack last October exposed the company’s latest security breach, which forced it to admit it hadn’t encrypted some of its customers’ personal data.
The Information Commissioner’s Office (ICO) said the attack could have been prevented if TalkTalk had taken basic steps to protect customer information.
Nearly 157,000 customer data was stolen, including bank account numbers, dates of birth and addresses.
Elizabeth Denham, Information Commissioner, said: “TalkTalk’s failure to put in place the most basic cyber security measures has made it easy for hackers to break into TalkTalk’s systems.”
“Yes, hacking is wrong, but that’s no reason for companies to abandon their security commitments.”
“TalkTalk should have and could have done more to protect their customer information. This did not happen, and we took action,” she added.
An investigation by the ICO found that the hackers had accessed a database of details that TalkTalk obtained from its takeover of rival firm Tiscali through vulnerable web pages it did not discover.
TalkTalk also avoided “two warnings” before the hack, which were supposed to alert the firm to problems with its software and data storage.
“Despite their experience and resources, when it came to the core principles of cybersecurity, TalkTalk was not enough,” Denham said.
“Today’s record fine serves as a warning to others that cybersecurity is not an IT issue, but a board issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under the law, but also because they have a duty to their customers,” she added.
Mark Skilton, a professor at Warquick Business School and a cybersecurity expert, said the fine was minor and little more than a “prick” to TalkTalk’s finances.
“Even with the reported figures of 157,000 personal details and 16,000 of them having their bank details stolen, that still only amounts to £2.50 per person, or £25 per person who lost bank details. The penalty appears to be “proportional” to the impact, but does little to take into account the potential risks and lack of due diligence on the part of a company with four million subscribers,” Skilton said.
“TalkTalk seems to have gotten off lightly here, even if their argument is that millions of customers were not at risk: corporations need to have a clear message and penalty approach in order to manage and treat cybersecurity as a real corporate risk and not just an issue.” with customer data mismanagement,” he added.
TalkTalk’s profits have more than halved since the cyberattack.
Profit before tax fell to £14m for the year to 31 March from £32m a year earlier.
Earlier this year, Daido Harding, chief executive of TalkTalk, acknowledged that last October was a challenging period for the company.
She said that TalkTalk is working to restore customer confidence.
“During the cyber attack, we worked hard to make sure our customers come first, and we know they appreciated our efforts and our integrity.”
Credit: www.independent.co.uk /