Today, UK Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”.

The full 17-page report can be found here, however, here is my brief summary of 10 key points from this report:

1. A successful Cyber Attack took place on TalkTalk’s infrastructure between 15-21 October 2015.
2. The attack was in the form of an SQL injection exploit using SQLmap on former Tiscali-owned infrastructure (acquired by TalkTalk in 2009) which was running outdated versions of MySQL.
3. TalkTalk were not aware of the full extent of the Tiscali infrastructure they acquired.
4. Names, addresses, dates of birth, telephone numbers, email addresses and financial information of 156,959 customers were exposed, including the bank account numbers and sort codes of 15,656 customers.
5. Previous attacks exploiting the same vulnerability took place on 17th July 2015, and also between 2-3 September 2015.
6. TalkTalk failed to keep software up-to-date. A vendor fix for the exploit used was made available nearly four years before the attack.
7. TalkTalk “failed to take appropriate technical and organizational measures” to “safeguard customer data against unauthorized or unlawful access”.
8. TalkTalk should have been aware that their negligence “would be of a kind likely to cause substantial damage or substantial distress”.
9. TalkTalk have been fined a record £400,000 (~$510,000 USD) by the ICO (Information Commissioner’s Office) for their failings under the Data Protection act.
10. TalkTalk said the fine was “disappointing” as it had “co-operated fully” with the investigation.

Whilst this is the largest fine the ICO have ever issued, they could have issued a maximum fine of half a million pounds (~$638,000 USD). So why didn’t they, given the seriousness of this incident!? Only the ICO know the answer to that, but I suspect the reason for the slightly reduced fine will be because TalkTalk “co-operated” with the investigation.

So what lessons can be learned for this TalkTalk incident? Well, as Information Commissioner Elizabeth Denham says:
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

Although, what kind of “warning” this sends to others, given that a £400,000 fine represents a measly 0.02% of TalkTalk’s £1.8B annual revenue, is debatable(!)