UK Information Commissioner hits TalkTalk with a record fine for data security failures

October 9, 2016 |

The UK Information Commissioner has issued TalkTalk with a £400,000 fine for its failure to provide adequate security which resulted in the catastrophic data breach on TalkTak which occurred in October last year.  The ICO can issue a maximum of £500,000.

The breach resulted in personal data of 156,959 customers and the bank account details of 15,656 people.

The media release provides:

Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”.

The ICO’s in-depth investigation found that an attack on the company last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.

ICO investigators found that the cyber attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.

Information Commissioner Elizabeth Denham said:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.

TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.

The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.

On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.

Ms Denham said:

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.

“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for. This is a breach of the seventh principle of the Data Protection Act.

A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.

The Monetary Penalty Notice relevantly provides:

9. The Group is a TV, broadband, mobile and phone   provider.In 2009, the Group acquired the UK operations of Tiscali. The Group was not aware that Tiscali’s infrastructure included webpages (“webpages”) that were still availa ble via the internet in 2015, with access to an underlying data base known as “Tisca li Master” (“database”).

10. Between 15 and 21 October 2015, a cyber-attack exploited vulnerabilities in three of the webpages. The attacker was able to   probe for the vulnerabilities and perform an SQL injection attack using an automated tool known as SQL map, and then exfiltrate data from the database. User input was not validated and the vulnera ble pages used outdated software libraries.

11. The database software in use was an outdated version of MySQL. The software was affected by a bug which meant that the attacker could bypass access restrictions that were in place. The bug was first publicised in 2012 when a fix was made available by the software vendor.

12. The database held personal data including the name, address, date of birth, telephone number, email address and financial information of 156,959 customers.

13 .       The attacker accessed the personal data of those 156,959 customers, including the bank account number and sort code of 15,656 customers.

……….

18.  The Group failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 to the DPA.

19. The Commissioner finds that the contravention is as follows. The Group did not have in place appropriate technical and organisational measures for ensuring so far as possible that such an incident would   not occur, i.e. for ensuring that the personal data held on the database could not be accessed by an attacker performer an SQL injection attack

20. In particular:

(a) The Group was not aware that Tiscali’s infrastructure included webpages that were still available via the internet in 2015, with access to the underlying data

(b) The Group failed to remove the webpages or ensure that they were otherwise made

(d)The Group was operating outdated database software that was affected by a bug for which a fix had been made available over three and a half yea rs before the cyber-attack.

(e)The Group failed to undertake appropriate proactive monitoring activities to discover

33. The Commissioner has considered whether the contravention identified above was n the Commissioner’s view, this means that the Group’s actions which constituted those contraventions were deliberate actions (even if the Group did not actually intend thereby to contravene the DPA).

34. The Commissioner considers that in this case the Group did not deliberately contravene the DPA in that sense. She considers that the inadequacies outlined above were matters of serious oversight rather than deliberate intent to ignore or bypass the provisions of the

35. The Commissioner has gone on to consider whether the Group knew or ought reasonably to have known that there was a risk that this contravention would occur. She is satisfied that this condition is met, given that the Group should have been aware that Tiscali’s infrastructure included webpages that were still available via   the internet in 2015, with access to an underlying database that held the personal data of 156,959 customers, including financial information.

  1. Although it is a common security vulnerability, SQL injection is well­ understood and known defences exist. On 17 July 2015, there was a successful SQL injection attack that exploited the same vulnerability within the webpages. There was a second attack between 2 and 3 September
  1. In the circumstances, the Group ought reasonably to have known that there was a risk that an attack performed by SQL injection would occur unless it ensured that the personal data held on the database was technically and organisationally
  1. Second, the Commissioner has considered whether the Group knew or ought reasonably to have known that the contravention would be of a kind likely to ca use substantial damage or substantial

40 . She is satisfied that this condition is met, given that the Group ought to have known that it would cause substantial damage or substantial distress to the data subjects if the information was accessed by an attacker who could expose them to blagging and possible fraud.

41. Therefore, it should have been obvious to the Group that such a contravention would be of a kind likely to cause substantial damage and substantial distress to the data subjects.

  1. Although it is a common security vulnerability, SQL injection is well­ understood and known defences exist. On 17 July 2015, there was a successful SQL injection attack that exploited the same vulnerability within the webpages. There was a second attack between 2 and 3 September
  1. In the circumstances, the Group ought reasonably to have known that there was a risk that an attack performed by SQL injection would occur unless it ensured that the personal data held on the database was technically and organisationally
  1. Second, the Commissioner has considered whether the Group knew or ought reasonably to have known that the contravention would be of a kind likely to ca use substantial damage or substantial

40 .   She is satisfied that this condition is met, given that the Group ought to have known that it would cause substantial damage or substantial distress to the data subjects if the information was accessed by an attacker who could expose them to blagging and possible fraud.

41 Therefore, it should have been obvious to the Group that such a contravention would be of a kind likely to cause substantial damage and substantial distress to the data subjects.

42.Third, the Commissioner has considered whether the Group failed to take reasonable steps to prevent the contravention. Again, she is satisfied that this condition is met. Reasona ble steps in these circumstances would have included being aware of the webpages either in 2009 or in the intervening period; removing the webpages   or ensuring that they were otherwise secured;  …ensuring that adequate testing and monitoring was in place and that appropriate technical measures were applied to its database software, either by applying a bug fix that had been available since 2012 or by upgrading that software to a more recent supported version that was unaffected by the bug in question. The Group did not take those steps. The Commissioner considers there to be no good reason for that failure.

As is typically the case this announcement and monetary penalty notice resulted in unfavourable publicity such as stories by the Huffington Post, the Register and the Telegraph.

One Response to “UK Information Commissioner hits TalkTalk with a record fine for data security failures”

  1. UK Information Commissioner hits TalkTalk with a record fine for data security failures | Australian Law Blogs

    […] UK Information Commissioner hits TalkTalk with a record fine for data security failures […]

Leave a Reply





Verified by MonsterInsights