TalkTalk has been fined a record £400,000 by the Information Commissioner’s Office (“ICO”) for website security failings which led to the theft of the personal data of customers.

The Cyber Attack

In October 2015 TalkTalk was hit by a cyber-attack when attackers stole the personal data of nearly 160,000 customers.

The attackers targeted outdated database software on which personal data of customers inherited following TalkTalk’s 2009 acquisition of Tiscali’s UK operations was held. The attackers used a technique known as SQL injection to hack three vulnerable web pages through which the data was accessed.

The attackers stole the personal data of customers, including their names, addresses, dates of birth, phone numbers and email addresses. Furthermore, they stole bank account details of nearly 16,000 individuals.

ICO’s Decision

The ICO found that TalkTalk was responsible for a number of website security failures that allowed the attackers to steal the data. The ICO concluded that TalkTalk failed to maintain adequate security measures to protect the personal data and it was therefore in breach of the seventh principle of the Data Protection Act 1998 (“DPA”).

TalkTalk was said to have had failed to secure the vulnerable webpages that were targeted by the attackers. It did not properly scan the infrastructure inherited from Tiscali for threats and, as a result, it was unaware that the vulnerable pages existed or that they allowed access to a database containing customer personal data.

The ICO also found that the database software was outdated and affected by a bug that allowed the attacker to bypass certain access restrictions. A fix for this bug was available and this would have prevented the attack. Furthermore, TalkTalk was unaware of two previous SQL injection attacks earlier in 2015 which exploited the same vulnerable websites.

Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease…TalkTalk should have and could have done more to safeguard its customer information. It did not and we have taken action.”


The fine is the largest ever issued by the ICO, which currently has the power to impose a maximum fine of £500,000. Note also that the General Data Protection Regulation will have direct effect in the UK from 25 May 2018, bringing with it fines of up to €20 million or 4% of an organisation’s annual worldwide turnover. This is a sobering thought for anyone who, until now, failed to take data security seriously. Additionally, businesses must consider the reputational damage associated with censure by the ICO, as well as the internal management costs that will have accrued as a result of this.

The Information Commissioner warned: “[the] record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”

Businesses should learn from TalkTalk’s failures and ensure that they have in place adequate systems to safeguard the personal information of their customers and thus ensure compliance with the DPA. Particular care should be taken when inheriting systems following mergers or acquisitions, and such systems should be scanned thoroughly for any security vulnerabilities. Appropriate due diligence must be undertaken to avoid situations such as this.

Finally, the record fine may be regarded as a statement of intent by the new Information Commissioner, Elizabeth Denham, who took over the role in July 2016. Ms Denham has indicated that she plans to take a tough approach to businesses that fail to protect customer data. She has already launched investigations into Facebook regarding a change to WhatsApp’s privacy policy, and Yahoo following the hack of the personal data of millions of its customers. It is therefore apparent that the ICO may more closely investigate breaches of the DPA and impose larger fines under her leadership. Organisations should also bear in mind that fines will be higher under the General Data Protection Regulation, and presumably under the UK equivalent post-Brexit.