TalkTalk earn £400,000 fine for customer data breach

Credit: Piotr Swat/Shutterstock.com

ICO have said TalkTalk failed to take "basic steps to protect customers' information", leading to 156,959 customers in total having their personal details stolen in the attack.

Of these, 15,656 had their bank account details accessed, underlying just how serious the attack was and just how negligent TalkTalk had been.

According to ICO, the provider hadn't noticed or acted upon the fact that the databases they'd inherited from their 2009 takeover of Tiscali were "outdated". They were so outdated they'd been infected by a bug, which could have been easily fixed if the provider had acted with due care.

Instead, they didn't, allowing the perpetrators of the attack to take advantage of three vulnerable webpages.

Yet if TalkTalk regard the record fine handed out by ICO as "disappointing", it's because the Office want to make an example of them.

And given that half of all UK businesses are unprepared for cyber attacks, this example is needed more than ever.

118 accounts

It's needed because, even though 60% of security breaches last year were the result of human error, only 27% of UK businesses consider cyber security training to be an effective defence against potential attacks.

This is alarming, if only because the average British person has 118 online accounts linked to a single email address, 26 more than the global average.

This means that hackers potentially have 118 different routes towards accessing a Brit's personal details.

What's more, in light of how 42% of people [PDF] in the UK use the same password for most if not all of their accounts, only one of these routes needs to be vulnerable for cybercriminals to have access to their victims' entire online lives.

This is why the £400,000 fine handed by ICO to TalkTalk is vitally important.

It may have upset TalkTalk - who have very recently tried to rebrand their image somewhat by introducing a simpler "all-in" pricing scheme - yet it's needed to remind other companies of just how fragile and susceptible their cyber defences can sometimes be.

One after the other

That they're vulnerable wasn't evident only in the TalkTalk attack, but in other recent breaches as well.

For example, in August there was an attack on the software company Sage, who couldn't stop the personal details of employees with more than 280 British companies from being compromised.

There was also the attack against Vodafone in October 2015, around the same time that TalkTalk were suffering the fruits of their oversight. On this occasion, the details attached to 1,827 profiles were accessed after criminals acquired email addresses and passwords from an "unknown source".

Then there was the infamous Ashley Madison hack of July 2015. Much like the TalkTalk breach, this was enabled by an "inadequate" cyber security setup, with the passwords belonging to users being held in plain, readable text on the site's internal servers.

If this loss of the data of 36 million users wasn't enough, there have been numerous other attacks over the past couple of years, making victims of the likes of Moonpig and Kiddicare.

This long roll call of websites with lax security shows why ICO were driven to fining TalkTalk, who among all recent victims of cyber attacks were the most careless and irresponsible.

Not only was their attack the result of a bug they could have quite easily fixed, but they'd already suffered two breaches prior to the one last October which affected some 160,000 customers.

While they arguably suffered enough insofar as 101,000 customers left them in the three months after the third attack, their repeated irresponsibility forced ICO to impose their biggest fine to date.

As Information Commissioner Elizabeth Denham said, "TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

Safety steps

With this action, other companies will perhaps be goaded into reinforcing their sometimes fragile security defences, so that their customers are spared the kind of violation that happened to TalkTalk's.

And even if some of these companies remain less-than prepared, there are numerous steps their customers can take to ensure that their personal data remains safe.

For one, they can avoid using the same password for all of their accounts by downloading a password manager, which them to constantly vary their login information without having to remember masses of numbers and letters.

They can also use multifactor authentication whenever it's available. This requires them to enter at least one category of information other than a password when trying to access a site.

Failing that, they can continue voting with their feet, leaving any company who repeatedly fails to safeguard their personal details.