Logan Parker
Privacy Editor
Loyola University Chicago School of Law, LL.M. in Health Law 2017
TalkTalk is one of the UK’s fastest growing business to business telecommunication providers that offers a full range of business-grade communications, products and services which include internet, data, voice and mobile. On October 5, 2016, the Information Commissioner’s Office (“ICO”) hit TalkTalk with a record £400,000 penalty for security failings that allowed a cyber-attack to access and misappropriate customer data “with ease.”
The cyber-attack in October 2015 affected almost 157,000 TalkTalk customers. The information obtained by the attackers included names, addresses, dates of birth, phones numbers, and email addresses. In over 15,000 cases, the attacker also accessed bank account numbers and sort codes.
ICO Findings
The ICO, a UK independent body set to uphold information rights and protect data privacy for individuals, found that TalkTalk failed to have in-place appropriate security measures to protect the personal data it was responsible for. This was in violation of the seventh principle of data protection, outlined in the [UK’s] Data Protection Act, Schedule 1.
The Notice issued to TalkTalk, discussing the penalty rendered, detailed more specifics on the attack. The attacker gained access through vulnerabilities in a database acquired by TalkTalk in 2009. TalkTalk did not analyze the risks and threats of this database, so it was not aware the vulnerabilities existed. The company was also unaware that the database software was outdated and no longer supported by the software provider. A fix to the software bug was available, but TalkTalk did not know this. The bug allowed an end-run around the software’s access restrictions – something that would not have been possible if the software was adequate and up-to-date.
However, TalkTalk had warning signs that this type of event could occur based on two prior attacks on the vulnerabilities of this database: 1) A successful SQL injection attack in mid-2015; and 2) Another successful SQL injection attack in September 2015. TalkTalk chose to willfully ignore these warning signs.
There is a criminal investigation concurrently running by the Metropolitan Police.
Lessons Learned
This case highlights significant information security failures by TalkTalk. Entities like TalkTalk should take note of this action and the lessons taught should not only be applicable to UK companies but companies globally. Breaches and cyber-attacks highlight violations of law but can also lead to loss of customers, money, and reputation. The Commissioner of ICO, Elizabeth Denham stated that this should be “a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Finally, there are compliance lessons to be learned here as well. An effective compliance program could have helped TalkTalk avoid this attack; specifically, conducting internal monitoring and auditing and responding promptly to detected problems and undertaking corrective action. The monitoring and auditing of these databases could have highlighted vulnerabilities that TalkTalk could have analyzed further and corrected. Moreover, TalkTalk was aware of past attacks on the vulnerable aspects of the database. With this knowledge, TalkTalk should have acted quickly to plug the gaps in security.