TalkTalk fined record £400,000 for failing to prevent hack

Webpages vulnerable to SQL injection and software left unpatched for 3.5 years…

Talktalk

When British telecoms firm TalkTalk was struck by hackers in October 2015, the story made headline news.

CEO Dido Harding (also known as Baroness Harding of Winscombe) went on TV news programmes to describe the hack as "highly sophisticated."

Within days Harding was telling the press that TalkTalk was "head and shoulders" better than its competitors when it came to security.

I was skeptical at the time that Harding knew what she was talking about, and I'm not changing my position now as I read the Information Commissioner's Office's newly-published in-depth report into what was going on at TalkTalk:

...TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the underlying database. The investigation also highlighted that the database software in use was outdated. It was affected by a bug for which a fix had been made available over three-and-a-half years before the cyber attack but which had not been applied. The bug enabled the attackers to bypass access restrictions that were in place on the database. TalkTalk also failed to undertake appropriate proactive monitoring activities to discover vulnerabilities.

The attack was an SQL injection attack, a common type of cyber attack that has been well-understood for more than ten years and for which known defences exist.

The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.

So, no... the TalkTalk hack was not "highly sophisticated." SQL injections are child's play, and it's shameful that TalkTalk's websites were not hardened against such attacks.

Furthermore, it appears that TalkTalk's database software had not been patched for a vulnerability that had been fixed three-and-a-half years earlier? That's security 101! You have to keep your systems patched!

TalktalkHackers accessed the personal data of 156,959 TalkTalk customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes because of TalkTalk's incompetence.

Disgracefully, some of the victims of the TalkTalk hack were treated shoddily by the company.

Fining the telecoms firm a record £400,000, Information Commissioner Elizabeth Denham was damning in her opinion of how TalkTalk had protected customers' personal data:

"TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease."

"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

And as for TalkTalk CEO Dido Harding? She saw her pay almost triple to £2.8 million.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

9 Responses

  1. Bob

    October 5, 2016 at 5:29 pm #

    £400,000 is nowhere near enough.

    Fine them 10% of their operating profit and see how careless they are in the future.

    • Graham Cluley in reply to Bob.

      October 5, 2016 at 5:34 pm #

      I might be mistaken, but I think the maximum fine that the ICO can impose is £500,000. But yes, point taken.

      • Bob in reply to Graham Cluley.

        October 5, 2016 at 6:57 pm #

        Yes, the statutory maxima is £500,000 but there are plans afoot to increase the sentencing powers of the ICO.

        I also hope victims of the hack take individual action now that TalkTalk have been censured for their appalling security. Proving the case in a County Court is now so much easier.

        It's a pity that the law in the UK doesn't allow collective litigation for this type of case.

        • Bob in reply to Bob.

          October 5, 2016 at 6:59 pm #

          Only last year did those idiots attempt to appeal a £1000 fine from the ICO. They lost.

          http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/

  2. Bob

    October 5, 2016 at 8:46 pm #

    Graham, I've just had a nasty shock when I read the actual notice. The penalty will be reduced to £320,000 if they pay by 1st November 2016.

    Take a look at this report if you haven't already … it really is damning.

    https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.pdf

    • Graham Cluley in reply to Bob.

      October 5, 2016 at 11:28 pm #

      Thanks for that link Bob. I note that the special reduced rate is only available to TalkTalk if they waive their right to appeal the size of the fine.

      Seeing as they have appealed far lower fines in the past, it will be interesting to see what they choose to do on this occasion.

  3. John Lewis

    October 6, 2016 at 10:37 am #

    Fines are trivial. The only thing that will work is to make the repetitional damage so great that the SRO (in this case Dido Harding) departs in disgrace, with no severance package. It won't happen of course – although Charles Dunstone must be somewhat annoyed – it has not damaged the share price.

    It will be interesting to see the outcome of the current Yahoo scandal where it appears that security concerns were raised and dismissed. If Yahoo did not disclose security concerns to Verizon there will be some fun.

  4. Matthew Parkes

    October 6, 2016 at 10:50 am #

    And with a triple value salary Dido Harding will continue to think she is doing nothing wrong and assuming the fine is nothing to them and the loss of customers wasn't that great then there will be no lessons learned. Companies like Yahoo & Talk Talk are revealing just how arrogant their attitudes are to data protection. It appears fines need to be much higher if they are to be a seen as a stick with which to beat these companies with.

  5. Mike

    October 6, 2016 at 10:55 am #

    So, this report makes it clear that when, before MPs, Ms Harding answered as below, she was lying. Fantastic. As this was 8 weeks after the October breach, so there's no excuse for not being aware of the earlier ones by this stage.

    Q26 Chair: How many breaches of security have you had over the last five years?
    Dido Harding: This is the first of TalkTalk’s systems, 21 October.

Leave a Reply