TalkTalk fined record £400,000 for failing to prevent hack

Webpages vulnerable to SQL injection and software left unpatched for 3.5 years…


When British telecoms firm TalkTalk was struck by hackers in October 2015, the story made headline news.

CEO Dido Harding (also known as Baroness Harding of Winscombe) went on TV news programmes to describe the hack as “highly sophisticated.”

Within days Harding was telling the press that TalkTalk was “head and shoulders” better than its competitors when it came to security.

Sign up to our free newsletter.
Security news, advice, and tips.

I was skeptical at the time that Harding knew what she was talking about, and I’m not changing my position now as I read the Information Commissioner’s Office’s newly-published in-depth report into what was going on at TalkTalk:

…TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the underlying database. The investigation also highlighted that the database software in use was outdated. It was affected by a bug for which a fix had been made available over three-and-a-half years before the cyber attack but which had not been applied. The bug enabled the attackers to bypass access restrictions that were in place on the database. TalkTalk also failed to undertake appropriate proactive monitoring activities to discover vulnerabilities.

The attack was an SQL injection attack, a common type of cyber attack that has been well-understood for more than ten years and for which known defences exist.

The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.

So, no… the TalkTalk hack was not “highly sophisticated.” SQL injections are child’s play, and it’s shameful that TalkTalk’s websites were not hardened against such attacks.

Furthermore, it appears that TalkTalk’s database software had not been patched for a vulnerability that had been fixed three-and-a-half years earlier? That’s security 101! You have to keep your systems patched!

TalktalkHackers accessed the personal data of 156,959 TalkTalk customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes because of TalkTalk’s incompetence.

Disgracefully, some of the victims of the TalkTalk hack were treated shoddily by the company.

Fining the telecoms firm a record £400,000, Information Commissioner Elizabeth Denham was damning in her opinion of how TalkTalk had protected customers’ personal data:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

And as for TalkTalk CEO Dido Harding? She saw her pay almost triple to £2.8 million.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “TalkTalk fined record £400,000 for failing to prevent hack”

  1. Bob

    £400,000 is nowhere near enough.

    Fine them 10% of their operating profit and see how careless they are in the future.

    1. Graham CluleyGraham Cluley · in reply to Bob

      I might be mistaken, but I think the maximum fine that the ICO can impose is £500,000. But yes, point taken.

      1. Bob · in reply to Graham Cluley

        Yes, the statutory maxima is £500,000 but there are plans afoot to increase the sentencing powers of the ICO.

        I also hope victims of the hack take individual action now that TalkTalk have been censured for their appalling security. Proving the case in a County Court is now so much easier.

        It's a pity that the law in the UK doesn't allow collective litigation for this type of case.

        1. Bob · in reply to Bob

          Only last year did those idiots attempt to appeal a £1000 fine from the ICO. They lost.

  2. Bob

    Graham, I've just had a nasty shock when I read the actual notice. The penalty will be reduced to £320,000 if they pay by 1st November 2016.

    Take a look at this report if you haven't already … it really is damning.

    1. Graham CluleyGraham Cluley · in reply to Bob

      Thanks for that link Bob. I note that the special reduced rate is only available to TalkTalk if they waive their right to appeal the size of the fine.

      Seeing as they have appealed far lower fines in the past, it will be interesting to see what they choose to do on this occasion.

  3. John Lewis

    Fines are trivial. The only thing that will work is to make the repetitional damage so great that the SRO (in this case Dido Harding) departs in disgrace, with no severance package. It won't happen of course – although Charles Dunstone must be somewhat annoyed – it has not damaged the share price.

    It will be interesting to see the outcome of the current Yahoo scandal where it appears that security concerns were raised and dismissed. If Yahoo did not disclose security concerns to Verizon there will be some fun.

  4. Matthew Parkes

    And with a triple value salary Dido Harding will continue to think she is doing nothing wrong and assuming the fine is nothing to them and the loss of customers wasn't that great then there will be no lessons learned. Companies like Yahoo & Talk Talk are revealing just how arrogant their attitudes are to data protection. It appears fines need to be much higher if they are to be a seen as a stick with which to beat these companies with.

  5. Mike

    So, this report makes it clear that when, before MPs, Ms Harding answered as below, she was lying. Fantastic. As this was 8 weeks after the October breach, so there's no excuse for not being aware of the earlier ones by this stage.

    Q26 Chair: How many breaches of security have you had over the last five years?
    Dido Harding: This is the first of TalkTalk’s systems, 21 October.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.