New information commissioner Elizabeth Denham has sent an uncompromising message to UK organizations that cybersecurity is a boardroom matter, by issuing a £400,000 fine to ISP TalkTalk for security failings that allowed a hacker to access customer data last year.
The financial penalty, the first she’s issued in the new role, is unusual given that it’s come as a result of an external attack rather than staff failings.
The privacy watchdog found that TalkTalk had failed to protect infrastructure it inherited from its Tiscali acquisition.
This allowed a hacker to exploit an SQL injection bug in three vulnerable web pages and access the underlying customer database.
The ISP was apparently unaware the infrastructure existed, meaning database software was outdated – although a fix was available for the flaw which the hacker exploited.
The attacker managed to access personal data on over 156,000 customers including names, addresses, dates of birth and email addresses – over 15,000 of whom also had their financial data exposed.
To make matters worse, TalkTalk had already suffered an SQL injection attack in July 2015 that exploited the same vulnerability, and another in September that year, the ICO said.
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” said Denham in a statement.
“Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Jes Breslaw, EMEA director of strategy, Delphix, argued the firm is lucky the new EU GDPR is not in force or it could have been fined in the tens of millions.
“The TalkTalk hack stands as a reminder of the sensitivity of unmasked data. Customer-sensitive data such as credit card numbers and bank details are a lucrative money-spinner for criminals on the dark web,” he added.
“In this instance the hack went unnoticed for a prolonged period, increasing the value of the data to fraudsters, and triggering a hefty fine.”
Jonathan Martin, EMEA Operations Director at Anomali, argued that TalkTalk fell down on the most basic of security measures.
“Organizations must take steps to simplify processes to enable them to identify and distil internal, as well as external, security data into actionable insights, in order to activate response plans,” he explained. “Prevention is far better than the business and reputational damage of any security incident.”
High-Tech Bridge CEO, Ilia Kolochenko, added that the £400,000 fine is likely to be small in comparison to other financial losses coming as a result of the breach.
“Probably, one of the most expensive parts of such breaches is a dramatic cost increase in new customer acquisition: much more time and resources are required to attract and convince new customers to sign up after a major data breach,” he explained.
Indeed, reports after the incident claimed the firm lost 7% of its broadband customers following the breach, while it also admitted to spending £35 million on incident response and remediation.
“The TalkTalk case highlights the importance of web applications for modern businesses: a tiny SQL injection on a forgotten subdomain may cost tens of millions of dollars, lost market share and reputation,” concluded Kolochenko.
“Continuous web security monitoring and a properly implemented secure software development life cycle can significantly reduce the risk of such incidents."