News has emerged this week that telecoms company TalkTalk has been issued with a record £400,000 fine by the UK Information Commissioners Office for security failings that allowed a cyber attacker to easily access customer data. The ICO investigation found that an attack on the company last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
The attacker was able to access the personal data of 157,000 customers including their names, addresses, dates of birth, phone numbers and email addresses. For 15,000 customers the attacker also had access to bank account details.
The data was taken from a customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009 and was accessed through an attack on three vulnerable webpages within Tiscal’s infrastructure.
TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible. The attacker used a common technique known as SQL injection to access the data. The company had two early warnings that it ignored. Both were successful SQL injection attacks in 2015 that exploited the same vulnerability in the webpages.
The bug fix, the defence against SQL injection and action following the previous attacks were all mitigating steps that TalkTalk could and should have taken. But they did not and the result has been a massive fine and untold damage to their reputation. Someone has seriously fallen down on the job here.
TalkTalk has been hit hard because of their size and profile, but thousands of much smaller companies have also been hit in a similar, if less catastrophic, manner. A professional managed security service provider could have easily helped TalkTalk to avoid this disaster. The benefit of outsourcing your cyber security is illustrated by the failure at TalkTalk.
A cyber security as a service provider would have come in with an outsider’s perspective and conducted an audit of existing networks and infrastructure. They would also have carried out penetration testing that is likely to have identified the weaknesses in the network and they would have fixed the vulnerabilities. An internal security team can become complacent and may not have access to the latest cutting edge cyber security solutions.
I will give the last word on this issue to the Information Commissioner, Elizabeth Denham. She said: “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”