The UK Information Commissioner’s Office (ICO) just issued a record fine to UK telecom company TalkTalk in connection with an October 2015 data breach. The £400,000 fine was issued after an in-depth investigation found that the cyber attack could have been prevented with “basic steps,” and such negligence resulted in cybercriminals gaining access to customer data “with ease.”
What were the “basic steps” revealed in the investigation? These included a failure to scan some of their infrastructure for possible threats and the use of outdated database software. In addition, there were two prior SQL injection attacks that exploited the same vulnerabilities, which should have alerted TalkTalk to the issue.
"The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.”
TalkTalk has already spent in excess of £35million in remediation and lost revenue costs. The ICO has added to this another £1,000 penalty fine as TalkTalk failed to notify the Commissioner's Office within 24 hours of becoming aware a data breach had occurred. Records show that the ICO was only notififed after TalkTalk had concluded their in-house investigation. Both fines serve to underscore the hard line that the ICO has drawn when it comes to data security enforcement.
The regulatory environment is more complex than ever before, both in the US and abroad. Compliance requirements from various government levels and enforcement actions by industry regulators make it more difficult than ever to keep on top of data protection requirements and breach notification requirements. The implications of the EU General Data Protection Regulation (GDPR) should also be top of mind for global organizations.
Absolute’s data regulation advisor and lawyer at Cordery, Jonathan Armstrong recently spoke with the ICO's Iain Bourne about the current state of data protection in the UK and Europe. Get a preview of his discussion below, which includes information about how the ICO will assess higher fines under the GDPR.
With Absolute Data & Device Security (DDS), organizations can regain control over the endpoint and the data contained therein, even if held in cloud storage applications. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. Learn more at Absolute.com