Major UK telecoms company, TalkTalk has been fined £400,000 for failing to adequately safeguard personal data when they were hacked in October 2015. The Information Commissioner’s Office’s (ICO) investigation revealed that hackers obtained the details of 156,959 customers, including names, addresses, birthdates, phone numbers and email addresses. In over 15,000 cases, hackers even gained access to bank account details and sort codes. The cyber-attack triggered the launch of a committee inquiry into protection of personal data online. You can read the inquiry report here.
After in depth investigation, the ICO found that TalkTalk’s failure to implement even the most basic cyber security measures allowed hackers to easily penetrate its systems causing substantial damage and distress to its customers. See how the investigation unfolded here and read the ICO’s penalty notice here. The ICO identified TalkTalk’s principal errors as failing to actively monitor its own activities and allowing vulnerabilities to go unnoticed, failing to update its database to protect from bugs, failing to respond to two previous attacks on the same webpages and failing to fix a bug in the software for which a fix was readily available.
It would seem regulators are losing patience with organizations that don’t take their security obligations seriously.