Leading telecommunications company TalkTalk has been fined a record £400,000 by the UK’s Information Commissioner’s Office (ICO). This fine relates to a cyber-attack that occurred in October 2015 when a malicious agency exploited a vulnerability in the company’s website, leading to the theft of the personal data of almost 157,000 customers.
An in-depth investigation was conducted by the ICO following the attack, which occurred between 15 and 21 October 2015. They concluded that hackers accessed an underlying customer database through vulnerabilities on three legacy webpages that allowed them to steal information.
Using a well-known technique called SQL injection, the hackers were able to by-pass security measures. However TalkTalk were simply unaware of the flaw in their systems, as the database had been acquired from Tiscali in 2009 and had not been subject to the proper security checks.
Names, addresses, dates of birth, phone numbers and email addresses were acquired for all 156,959 records stolen in the attack. Additionally the hackers were able to access bank account details and sort codes for 15,656 of these records.
The ICO said that one of the reasons behind the magnitude of the fine, which is the largest fine ever imposed by the agency, is the ease with which the attack was carried out. The maximum fine that the office can impose is £500,000.
According to Information Commissioner Elizabeth Denham, “TalkTalk’s failure to implement even the most basic cyber-security measures allowed hackers to penetrate the company’s systems with ease”.
She went on to add that “Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The £400,000 fine from the ICO is dwarfed by the losses incurred by the business due to their improper management of the information. TalkTalk revealed that the cyber attack had cost the business around £42m with the loss of over 100,000 subscribers.
UK authorities are still investigating the attack, which appears to be an attempt to extort money out of TalkTalk. A young adult, Daniel Kelley, 19, appeared at Westminster magistrates court accused of demanding 465 bitcoins, worth over £200,000, following the cyber attack on the website last October.
How could ISO 27001 have helped?
With a proper data protection policy in place, this attack could perhaps have been avoided. Implementation of an ISO 27001 certified management system would have helped TalkTalk to review their existing security procedures and set up processes for ensuring that new information technology resources adhered to the company’s standards, as well as international standards of best-practice.
The internal audits required by the ISO 27001 would have examined all of the existing systems, testing for vulnerabilities in all existing information technology assets to ensure their ability to withstand attacks.
“While ISO 27001 can never guarantee that a security breach won’t take place, when properly implemented it means that the likelihood of the kind of loss recently experienced by TalkTalk is minimised,” says Steve Dean, Technical Principle at QMS.
“Even if a security breach does occur, ISO 27001 certification also demonstrates that an organisation did everything possible to protect its information, thereby reducing the level of fines which might be applied.”
ISO 27001 is one of the strongest statements a company can make about their information security procedures and is a clear demonstration of their commitment to data protection.
If you would like to know more about acquiring an ISO 27001 certification for your business, then the ideal place to start would be a consultation with QMS.