TalkTalk Hit with Record Fines
In 2015, U.K. phone and broadband provider TalkTalk was hacked, and nearly 157,000 customer accounts were breached. Late last week, the company was fined a record £400,000 (nearly $500,000) from the national data protection agency.
The company announced initially that four million customers may have been affected, but this estimate proved high. Two teenage boys were arrested shortly after the announcement, and a total of six arrests have now been made. The investigation remains ongoing, according to the BBC.
TalkTalk fell under scrutiny because cybercriminals were able to hack the system and steal data relatively easily. They took advantage of vulnerable webpages that TalkTalk had acquired from another ISP, Tiscali. Two earlier attacks on these same vulnerabilities were ignored by TalkTalk.
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease,” said information commissioner Elizabeth Denham. “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”
In Europe, data breach penalties will increase in May 2018 when the General Data Protection Directive comes into force. The maximum fines will rise to up to 4% of the company’s global turnover or €20 million (just over $22 million), whichever is larger. The stricter rules are intended to prompt companies to prioritize data security.