The attack took advantage of technical weaknesses in TalkTalk’s systems, allowing access to the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
The ICO said the ISP failed to implement “the most basic cyber security measures” and that “TalkTalk should and could have done more to safeguard its customer information”. The fine was issued on the basis of violations of the Data Protection Act. A criminal investigation by the Metropolitan Police is also underway.
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found. On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.
TalkTalk said in a statement that it cooperated fully with the ICO and, while this was “clearly a disappointing decision”, the company “respects the important role the ICO plays in upholding the privacy of consumers”. TalkTalk noted as well that it was “open and honest” with its customers from the outset, so they could protect thelmselves the best possible.