TalkTalk has been issued with another fine for failing to look after customers’ data, 10 months after being hit with a record fine of £400,000.
The previous penalty was imposed in October 2016 for the cyber attack in 2015 that exposed the personal details of more than 150,000 customers, but TalkTalk has now received an additional fine of £100,000.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The latest fine is the result of an Information Commissioner’s Office (ICO) investigation that found TalkTalk had breached the Data Protection Act because it allowed staff to have access to large quantities of customers’ data.
TalkTalk’s lack of adequate security measures left the data open to exploitation by rogue employees, the ICO said.
The breach came to light in September 2014 when TalkTalk began getting complaints from customers that they were receiving scam calls in which the scammers pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers.
Asked why the ICO had issued a fine now, so long after the fine for the 2015 breach, an ICO spokesperson told Computer Weekly there were two investigations that were totally different and separate, and that complicated cases typically take longer to finalise.
As a result of TalkTalk customer complaints, the ICO launched an investigation into how customers’ names, addresses, phone numbers and account numbers were compromised.
Although the investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls, it did uncover data protection issues with a TalkTalk portal through which customer information could be accessed.
One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved complaints and addressed network coverage problems. A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.
This meant 40 Wipro employees had had access to the data of between 25,000 and 50,000 TalkTalk customers and were able to log into the portal from any device, view up to 500 customer records at a time, carry out searches, and export data.
The ICO found this level of access was unjustifiably wide-ranging and put the data at risk, showing that TalkTalk did not have appropriate measures in place to keep data secure.
Information commissioner Elizabeth Denham said TalkTalk should have known better and should have put its customers first.
“TalkTalk may consider themselves to be the victims here, but the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” she said.
The investigation found that TalkTalk should have been aware of the risks and that the misuse of personal data was likely to cause substantial damage or distress.
The ICO said the the company should also have been aware of the increasing prevalence of scams and attempted frauds and should have assessed the measures it had in place to mitigate against them.
According to the ICO, TalkTalk had ample opportunity over a long period of time to implement appropriate measures, but failed to do so. The company should have made sure the portal could only be accessed from authorised devices and could have taken steps to prevent large-scale accessing and exporting of personal data through the portal, the ICO said.
The £400,000 penalty was issued in October 2016 after the ICO found TalkTalk had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
At the time, some commentators questioned whether even the maximum fine of £500,000 that the ICO could impose under the UK Data Protection Act was enough to make large organisations improve their security practices.
Since then, the UK government has announced plans to introduce new data protection legislation in line with the EU’s General Data Protection Regualtion (GDPR) that will enable the ICO to impose fines of up to £17m or 4% of an organisation’s global turnover.
Denham said the UK fought for increased powers when the GDPR was being drawn up because heavy fines for serious breaches reflect just how important personal data is in a 21st century world, but the ICO intends to use those powers proportionately and judiciously.
In May 2017, former TalkTalk CEO Dido Harding said the biggest lesson learned from the 2015 cyber attack was that TalkTalk and everyone else is not taking cyber security seriously enough.
“We thought we were taking it seriously, but of course we weren’t taking it seriously enough, and no one is,” she told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London. “A lot of business leaders are afraid of it, and want to delegate it down.”
The other big learning is that getting the basics right is really difficult, said Harding. “I don’t like the term cyber hygiene because it implies that those who haven’t got their hygiene right are stupid, but it is just darned hard to do,” she said.
However, Harding said that just by focusing on those basics, many companies, including TalkTalk, could have prevented a cyber attack.
“We were guilty of not knowing our total network footprint,” she said. “We were attacked on a website that was no longer being used, hadn’t being used by a company we had bought 10 years ago, and hadn’t been picked up by any of the due diligence done.
“Now you can argue that we should have found it, but we hadn’t. On that website, which was developed more than 10 years ago, there was an SQL injection vulnerability, which was obvious if you knew it existed – but we didn’t.”