TalkTalk has received a record £400,000 fine for cybersecurity shortcomings that contributed to 2015’s cyberattack.
According to an ICO investigation, this attack could have been prevented if TalkTalk had taken basic security measures to protect customer data.
Elizabeth Denham, information commissioner at the ICO, said: “TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease.
“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Between 5– 21 October 2015, personal information belonging to 156,959 of its customers was accessed. Over 15,000 customer’s personal bank details were also accessed.
As stated in ICO’s report, TalkTalk’s failing went against the seventh data protection principle of the Data Protection Act, which states:
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The cyberattack was carried out using an SQL injection. According to the ICO investigation, TalkTalk should have known that this injection posed a risk to its data.
Denham concluded: “Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue.
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”