TalkTalk has been fined ($510,000) over website security failings which led to the theft of almost 157,000 customer’s data last year.
The telecommunications company’s “failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” U.K. Information Commissioner Elizabeth Denham said in a statement. Police have arrested at least six people in relation to the attack.
Hackers accessed the personal data of about 150,000 TalkTalk customers, including names, addresses, dates of birth, phone numbers and e-mail addresses. The company’s shares lost 19 percent after details of the incident were disclosed, before recovering on news that the impact was smaller than initially feared.
TalkTalk said it had been open and honest about the breach and had cooperated fully with the ICO probe.
“While this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers,” the company said in a statement.
The ICO said TalkTalk failed to scan for possible threats after taking over Tiscali SpA’s U.K. operations in 2009 and was unaware of vulnerable web pages. TalkTalk was also unaware it was using outdated software and had it been updated, the bug would have been fixed, the ICO said.
The fine is “little more than a sting to TalkTalk’s finances,” said Mark Skilton, professor of practice at Warwick Business School and an expert on cybersecurity. “Even by factoring in the reported numbers of 157,000 personal details and, of those, the 16,000 who had bank details stolen, it still only equates to 2.50 pounds per head, or 25 pounds per person who lost banking data.”
Authorities should “treat cyber security as a real corporate risk and not just a customer data mismanagement issue,” Skilton added.
Jean G. Thomas