TalkTalk Slammed with Record Fine Over BreachPrivacy Watchdog Cites Outdated Database, SQL Injection Attack
Britain's privacy watchdog agency has slammed TalkTalk with a record fine of £400,000 ($511,000) for information security failings that allowed a hacker to steal customer data "with ease."
The London-based TV, broadband, mobile and phone provider, formally known as TalkTalk Telecom Group, suffered a devastating breach last year that ran from Oct. 15 to 21. The incident could have been prevented had the company put some basic security measures in place, the U.K. Information Commissioner's Office determined (see 5 Lessons from the TalkTalk Hack).
The ICO imposed the fine after finding that TalkTalk, which trades on the London Stock Exchange, violated the U.K.'s Data Protection Act by failing to put proper security measures in place to safeguard user data.
The attacks against TalkTalk resulted in the exposure of personal data - name, address, date of birth, telephone number, email address and financial information - on almost 157,000 customers, plus bank accounts and sort codes for more than 15,000 customers, according to a partially redacted report published by the ICO.
"TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease," Information Commissioner Elizabeth Denham says in a statement. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
The ICO's report says that the TalkTalk breach involved infrastructure that was created by Italian telecommunications firm Tiscali - TalkTalk acquired its U.K. operations in 2009 - and in particular webpages that had access to a database called "Tiscali Master." The ICO says TalkTalk had failed to properly scan its infrastructure for potential threats and thus "was not aware that Tiscali's infrastructure included webpages that were still available via the internet in 2015" and which had access to the database and thus should have either been secured or removed.
In addition, TalkTalk was using an outdated version of the MySQL open source SQL database management system, which contained a known flaw that allowed the attacker to bypass access restrictions on the database. "The bug was first publicized in 2012 when a fix was made available by the software vendor," the ICO notes.
SQL Inject Attacks Could Have Been Prevented
After bypassing the access controls, the attacker then used the open source penetration testing tool sqlmap to scan the database for SQL injection flaws and exfiltrated data via a SQL injection attack, the ICO says. "User input was not validated," it adds, a step that could have blocked the SQL injection attack.
The ICO notes that TalkTalk failed to put proper defenses in place against SQL injection exploits despite having suffered a successful SQL injection attack on July 17, 2015, followed by another such attack less than two months later.
The maximum fine that the ICO can levy is £500,000 ($635,000). TalkTalk likely wasn't slammed with the maximum penalty because the privacy watchdog report found that the security failings were not a deliberate attempt "to ignore or bypass" the Data Protection Act, but rather amounted to "serious oversight."
In addition, the ICO report notes that the attack against TalkTalk cooperated fully with investigators; notified its customers and offered 12 months of free credit monitoring; and has since undertaken appropriate remedial action.
Reminder: Duty to Customers
But the ICO says the episode is a reminder that no organization should overlook cybersecurity concerns or skip basic information security practices.
"Today's record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue," the ICO's Denham says. "Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."
If TalkTalk pays the fine by Nov. 1 without contesting it, then the ICO notes that the monetary penalty will be reduced by 20 percent to £320,000 ($405,000).
That's a far cry from the fine that could have been imposed on TalkTalk under the EU General Data Protection Regulation, which U.K. businesses will be required to comply with as of May 2018, at least until Britain negotiates its "Brexit" from the EU. Under the GDPR, information commissioners can fine firms that violate EU privacy law up to 4 percent of their global annual revenue or €20 million ($22.5 million) - whichever is greater.
TalkTalk in February reported that the breach had already cost it £50 million ($76 million) and led to the loss of 100,000 customers.
London's Metropolitan Police is continuing a criminal investigation into the attack against TalkTalk.
So far, six individuals - ages 15 to 20 - have been arrested in connection with the attacks or subsequent attempts to blackmail TalkTalk (see TalkTalk Hack: UK Police Bust Teenage Suspect).