The full 17-page report can be found here, however, here is my brief summary of 10 key points from this report:
- A successful Cyber Attack took place on TalkTalk’s infrastructure between 15-21 October 2015.
- The attack was in the form of an SQL injection exploit using SQLmap on former Tiscali-owned infrastructure (acquired by TalkTalk in 2009) which was running outdated versions of MySQL.
- TalkTalk were not aware of the full extent of the Tiscali infrastructure they acquired.
- Names, addresses, dates of birth, telephone numbers, email addresses and financial information of 156,959 customers were exposed, including the bank account numbers and sort codes of 15,656 customers.
- Previous attacks exploiting the same vulnerability took place on 17th July 2015, and also between 2-3 September 2015.
- TalkTalk failed to keep software up-to-date. A vendor fix for the exploit used was made available nearly four years before the attack.
- TalkTalk “failed to take appropriate technical and organizational measures” to “safeguard customer data against unauthorized or unlawful access”.
- TalkTalk should have been aware that their negligence “would be of a kind likely to cause substantial damage or substantial distress”.
- TalkTalk have been fined a record £400,000 (~$510,000 USD) by the ICO (Information Commissioner’s Office) for their failings under the Data Protection act.
- TalkTalk said the fine was “disappointing” as it had “co-operated fully” with the investigation.
Whilst this is the largest fine the ICO have ever issued, they could have issued a maximum fine of half a million pounds (~$638,000 USD). So why didn’t they, given the seriousness of this incident!? Only the ICO know the answer to that, but I suspect the reason for the slightly reduced fine will be because TalkTalk “co-operated” with the investigation.
So what lessons can be learned for this TalkTalk incident? Well, as Information Commissioner Elizabeth Denham says:
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Although, what kind of “warning” this sends to others, given that a £400,000 fine represents a measly 0.02% of TalkTalk’s £1.8B annual revenue, is debatable(!)