The cyber-attack on its website took place in October 2015. The Information Commissioners Office, which imposed the fine, said security was so poor that the attack succeeded with ease.
TalkTalk commented that the fine was disappointing as it had co-operated fully with the investigation. The fine is the largest yet imposed by the ICO, which under its powers could have imposed a maximum fine of GBP 500,000.
In nearly 16,000 cases, the attacker was able to steal bank account details. The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website. Database software, which held details of customers inherited from the 2009 takeover of a rival firm, Tiscali, was out of date. As a result, the attacker got hold of the customers details by attacking three vulnerable web pages, using a well-known hacking technique called SQL injection.
A bug, which could have been fixed, allowed the attacker to by-pass restrictions, but the company was simply unaware of the problem or that it could be solved easily. That was despite two previous, similar cyber-attacks earlier in 2015 that should have alerted the firm to the problems with its software and data storage.
In May 2015, TalkTalk revealed that the attack had cost it GBP 42 million and that 101,000 subscribers had left in the aftermath of the attack.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now