TalkTalk cyber attack – how the ICO’s investigation unfolded
15-21 October 2015
A cyber attack exploits vulnerabilities in three webpages which are operated by TalkTalk following its 2009 acquisition of the UK operations of Tiscali. The exploitation of this vulnerability allows access to an underlying database holding customers’ personal data including names, addresses, dates of birth, phone numbers, email addresses and financial information.
TalkTalk website down
21 October 2015
TalkTalk becomes aware of the attack following internal reports of its network operating more slowly than normal. The attack type - SQL injection - was identified shortly after midday on 21 October, and around an hour later TalkTalk removed its websites and replaced them with a holding page.CO told about attack
22 October 2015
TalkTalk reports a potential data breach to the ICO. The ICO acts quickly and commences a preliminary investigation to look into the details of the incident. The ICO writes to TalkTalk and asks them to provide more information about the incident.
TalkTalk begins notifying the public about the attack.
The attack saw the personal details of 156,959 customers accessed, including the bank account number and sort code of 15,656 customers
TalkTalk issues a statement to the press informing them that it has sent customers emails informing them of the potential theft of their data.
Attack hits headlines
23 October 2015
The ICO issues a statement:
TalkTalk data security incident
"The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the Police."Any time personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings.
There are tips and information about identity theft available on our website."
The attack is covered by major news outlets across the world.
TalkTalk says 156,959 customers' personal details accessed, 15,656 bank account numbers & sort codes stolen https://t.co/PoJrHWmITj
— BBC News (UK) (@BBCNews) November 6, 2015
TalkTalk customer data at risk after cyber-attack on company website
TalkTalk hack: bank details may be at risk
– Sky News
House of Commons steps in
26 October 2015
The TalkTalk data breach is the subject of an Urgent Question in the House of Commons. The Chair of the Culture, Media and Sport Committee says they will follow developments related to the cyber attack closely.
3 November 2015
The committee formally launches an inquiry into the circumstances surrounding the TalkTalk data breach and the wider implications for telecoms and internet service providers..
15 December 2015
The inquiry hears evidence from Dido Harding, TalkTalk chief executive.
27 January 2016
Information Commissioner at the time, Christopher Graham, and ICO Group Manager for Technology, Dr Simon Rice, give evidence to the inquiry.
June 2016
Committee publishes its report.
The ICO’s investigation includes a meeting with TalkTalk at the ICO’s head office in Wilmslow as well as a technical review of the facts of the case. The investigation focuses on whether or not TalkTalk had complied with one of the principles set out in the Data Protection Act – that personal information must be kept secure.
ICO technical experts investigate
The ICO’s specialist technical team supported the enforcement team and found TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the underlying database. The investigation also highlighted that the database software in use was outdated. It was affected by a bug for which a fix had been made available over three-and-a-half years before the cyber attack but which had not been applied. The bug enabled the attackers to bypass access restrictions that were in place on the database. TalkTalk also failed to undertake appropriate proactive monitoring activities to discover vulnerabilities.
The attack was an SQL injection attack, a common type of cyber attack that has been well-understood for more than ten years and for which known defences exist.
The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.
Impact on customers
The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes. People whose data was taken would be distressed by concerns that their information had been further distributed. If the information was disclosed to untrustworthy third parties, then the attack would cause further distress and damage such as possible fraud in the future.
ICO investigation findings
The ICO’s investigation concluded TalkTalk failed to take appropriate measures against the unauthorised or unlawful processing of personal data, in contravention of the Data Protection Act. The ICO report said: “For no good reason, TalkTalk appears to have overlooked the need to ensure it had robust measures in place despite having the financial and staffing resources available."
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
£400,000 fine
The ICO decides to issues its biggest ever fine – £400,000 – to TalkTalk after taking into account a range of factors demonstrating the seriousness of the event. These included that TalkTalk should have known the legacy Tiscali pages existed, that there had been two previous attacks on the same vulnerable page but TalkTalk didn’t take any action and that the software was outdated.
Advice for customers
In a world of ever-evolving technology, it’s understandable that people are sometimes nervous about how their personal details are being used and whether or not they are safe in the hands of a company. The ICO is the UK’s independent authority set up to uphold information rights in the public interest. Our website has a dedicated section for the public, including guidance on online safety. You can also report your concerns about personal data security.
Businesses must learn from TalkTalk’s security failings. Failing to keep personal information secure is a breach of the Data Protection Act and it can cost your business customers, money and reputation. More importantly, you are honour bound to safeguard the information your customers entrust to you. There is no excuse for not doing this.
"Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers."
Elizabeth Denham, Information Commissioner
TalkTalk pay ICO fine
1 November 2016
TalkTalk settles its fine with the Information Commissioner's Office.
TalkTalk hack: Firm settles ICO fine for £320,000 - Saves £80,000 by coughing up early https://t.co/bogePSwbDj
— V3 (@V3_co_uk) November 2, 2016
Further information
The ICO offers help and guidance to firms wanting to get it right. There’s a wealth of information on our website, including a useful data protection toolkit aimed at small businesses, advice on information security and guidance on using personal information online.