Fine issued as a warning to other companies that cyber security is not an IT issue, but a boardroom issue.
TalkTalk has been hit with a record fine after it let attackers succeed “with ease”.
The fine of £400,000 comes in response to the theft of the personal data of around 157,000 customers in October 2015.
Imposed by the Information Commissioner’s Office (ICO), the fine is due to the company’s failure to take basic steps to protect customer information.
The ICO found from its investigation that TalkTalk hosted three webpages that were vulnerable to SQL injections.
A failure to enforce proper security on its own website led to the company nearly 16,000 cases of the attacker being able to steal bank account details.
The Information Commissioner, Elizabeth Denham, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
One finding from the report highlighted that TalkTalk had failed to assess the IT of Tiscali for possible threats when it was purchased in 2009. This failing lead to the database software being out of date and vulnerable to SQL injection.
The telecoms company also ignored the warning signs which were flashing after similar cyber attacks earlier in 2015.
Although the fine of £400,000 is the highest issued by the ICO to date it falls short of the maximum £500,000, but the real cost of the breach is elsewhere.
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: “I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer.
“However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.
“The lesson to other organisations is crystal clear – data is the crown jewels of your business; treat it with the utmost respect, secure it in every way possible both from malicious actors and inadvertent loss or misuse by employees and subcontractors. You are responsible to your employees, customers and suppliers to keep their data safe from the second it is collected.”
Denham said that while hacking is wrong, it is not an excuse for companies to “abdicate their security obligations”.
The Commissioner went on to say that the fine acts as a warning to other companies that cyber security is not an IT issue, but that it is a boardroom issue.