Home

Search for Parts




Sales Hotline
+44 (0) 1786 870 967

Document & Media Support
01786 870967

Out of Hours Hotline
07000 358 358

 

Latest News


Telecoms company TalkTalk ha sbeen issued with a record 400,000 fine by the ICO for security failings that allowed a cyber attack to access customer data 'with ease'....[Read more]

ICO investigation reveals how charities have been exploiting supporters....[Read more]

Dataspace Scotland proudly announces that for the 3rd year running we have been accredited to ISO9001, ISO14001, PD5454 and BS4783....[Read more]

Imagine that your law firm's offices have just been destroyed by an overnight fire. Nobody was hurt but everything has been burned to a cinder. Can your law firm continue to operate after such a major disaster ?....[Read more]

Thinking of going paperless ? What are the benefits of Scanning ?....[Read more]

We normally see the threats as coming from outside the organisation and all staff would never do any harm to the organisation they love working in! The conference showed that this was not always true!....[Read more]

Google data centre in Belgium was hit by four successive lightening strikes causing some servers to fail and permanantly lose customer data.....[Read more]

Have you ever asked yourself??What if there is ever a fire or flood in the office, or we have a computer virus attack, what will happen to all of my data and records??....[Read more]

In today?s so-called paperless society we still use a great deal of paper..... We'll look here at the key issues that need addressed prior to taking a 'scan it all' approach....[Read more]

Data growth and technology innovations fuels a bright future for Tape....[Read more]

Back in 2011, Google had a bug which deleted all Gmail data for all users. It affected all servers & replication servers. They successfully restored it all from TAPE.....[Read more]

Dataspace Scotland has proudly achieved ISO certification for the Provision of Data Backup Solutions plus Professional Document Archive and Record Management Services.....[Read more]

Dataspace Scotland have joined the Stirling Chamber of Commerce, part of the Forth Valley Chamber of Commerce.....[Read more]

Dataspace Scotland have been accepted onto the Scottish Enterprise Business Growth Program....[Read more]

Formatting hard drives does not necessarily delete data stored on them, a security firm has warned.....[Read more]
<< | < | > | >>
Page 1 of 2

Webtrack Secure Login

Our Secure WebTrack System

TalkTalk gets record fine by ICO for data breach

Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”.

The ICO’s in-depth investigation found that an attack on the company last October could have been prevented if TalkTalk had taken basic steps to protect customers’ information.

ICO investigators found that the cyber attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.

Information Commissioner Elizabeth Denham said:

    “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

    “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.

TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.

The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.

On top of that the company also had two early warnings that it was unaware of. The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.

Ms Denham said:

    “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.

    “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

The ICO’s investigation was limited to TalkTalk’s compliance with the Data Protection Act. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for. This is a breach of the seventh principle of the Data Protection Act.

A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.

There's more information about how the ICO’s investigation unfolded in our timeline article.

Notes to Editors

    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
    The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
    The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
    Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
        fairly and lawfully processed;
        processed for limited purposes;
        adequate, relevant and not excessive;
        accurate and up to date;
        not kept for longer than is necessary;
        processed in line with your rights;
        secure; and
        not transferred to other countries without adequate protection.
    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
    The ICO does not have the legal authority to award compensation.
 
    To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
 
Article extracted from https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/ 


back