TalkTalk given record fine over data breach that led to data theft of nearly 157,000 customers

TalkTalk has been fined a record £400,000 fine for security failings which led to the theft of personal data of almost 157,000 customers.

The cyber attack in October last year exposed the latest security failure for the company, which was forced to admit it had not encrypted some personal details of customers.

The Information Commissioner's Office (ICO) said the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information.

Almost 157,000 customers had their details stolen, including bank account numbers, birth dates and addresses.

Elizabeth Denham, the Information Commissioner, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.“

“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.”

“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” she added.

An investigation by the ICO found hackers gained access to the database of details which TalkTalk had from its takeover of rival firm Tiscali via vulnerable web pages which it had not spotted.

TalkTalk also avoided “two warnings” prior to the hack which should have alerted the firm to the problems with its software and data storage.

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” Denham said.

“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers,” she added.

Mark Skilton, a professor of practice at Warkwick Business School and an expert on cyber security, said the fine was insignificant and a little more than “a sting” to TalkTalk's finances.

“Even by factoring in the reported numbers of 157,000 personal details and, of those, the 16,000 who had bank details stolen, it still only equates to £2.50 per head or £25 per person who lost banking data. The fine seems to be ‘proportionate’ to the impact, but shows little regard for the possible risks and lack of due diligence of a company with four million subscribers,” Skilton said.

“TalkTalk seem to have got off lightly here even if their argument is that the millions of customers were not at risk: a strong message and fines approach needs to be in place for corporates to manage and treat cyber security as a real corporate risk and not just a customer data mismanagement issue,” he added.

TalkTalk profits more than halved following the cyber attack.

Pre-tax profits fell to £14m in the year to 31 March, from £32m a year earlier.

Earlier this year, Dido Harding, TalkTalk chief executive, admitted that last October was a challenging period for the company.

She said TalkTalk was working to regain customers’ trust.

“Throughout the cyber attack, we worked hard to put our customers first, and we know that they have appreciated our efforts and our honesty throughout.”

“Nevertheless, last October was a challenging period for TalkTalk and its customers and, in recognition of that, I have made a personal decision to donate my bonus to our charity partner,” she said.

Despite presiding over the firm in the year it was hit by the attack, Ms Harding has seen her 2015 pay almost triple.

Her total income rose to £2.8m in 2015, up from just over £1m the year before, according to the firm’s annual results.