While the threat of a cyber-attack now features prominently on most U.K. company risk registers, regulatory action so far has been fairly low-key. But a recent case has shown that U.K. enforcement agencies are prepared to show their bite when necessary—and that organisations should take heed.
At the beginning of October, the U.K.’s data protection regulator hit telecom company TalkTalk with a record £400,000 (U.S. $319,160) fine for security failings that allowed a cyber-attacker to access customer data “with ease” (the fine has since been reduced to £320,000 (U.S. $255,328) for early payment).
The Information Commissioner’s Office’s (ICO) in-depth investigation found that a cyber-attack on the company between 15 and 21 October 2015 could have been prevented if TalkTalk had taken “the most basic cyber-security measures” to protect customers’ information.
ICO investigators found that the attacker took advantage of technical weaknesses in the company’s IT controls to access the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers, and e-mail addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said that while “hacking is wrong, that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not, and we have taken action.”
The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of rival phone and internet provider Tiscali’s U.K. operations in 2009. That inherited infrastructure contained just three vulnerable webpages that a hacker could exploit to gain access to customer information. A fix had been available to debug the software since 2012, but TalkTalk had not carried out any assessment to check whether there were any vulnerabilities, and so the company did not realise that the installed version of the database software was outdated and was no longer supported by the provider.
The ICO was unimpressed. The easily fixed bug allowed the hacker to bypass access restriction using a common technique known as an “SQL injection” to access the data. It involves an attacker introducing malicious code into a company’s computer programs to change the way that they work. In some cases, it can enable the hacker to take over and control the entire system.
Plenty of other organisations have had their fingers burnt by SQL injections prior to TalkTalk. The 2011 “hacktivist” attack on Sony exploited the same vulnerabilities to access the personal details of over 1 million customers, and Yahoo! came a cropper in 2012 when a similar attack resulted in the login details of 450,000 users being exposed. The House of Commons’ Culture, Media, and Sport Committee also said that “there had already been three other occasions when the ICO had issued a fine following an SQL attack (the largest of which was £200,000 [U.S. $159,580]), which should have also served as a warning to others, including TalkTalk.”
“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Information Commissioner Elizabeth Denham
“SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO investigation found—especially after the company had already had two early warnings (that it failed to detect). The first was a successful SQL injection attack on 17 July 2015 that exploited the same vulnerability in the webpages. A second attack was launched between 2 and 3 September 2015.
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting,” said Denham, adding that the “record fine acts as a warning to others that cyber-security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
The ICO’s investigation was limited to TalkTalk’s compliance with the eight principles of the U.K. Data Protection Act (DPA).
It concluded that TalkTalk breached principle seven of the DPA because the company failed to have in place the appropriate technical/security measures to protect the personal data it was responsible for, while the fifth data principle was also contravened since the company retained customer data for longer than was necessary. A criminal investigation by London’s Metropolitan Police Force has been running separately to the ICO’s investigation.
The maximum penalty could have been £500,000 (U.S. $395,950) rather than £400,000 (U.S. $319,160). However, since the company did not appeal the decision and paid promptly before 1 November, the amount was reduced by 20 Percent to £320,000 (U.S. $255,328).
The incident has cost the telecom company around £42m (U.S. $34M) and seen its annual profits more than halve. Some estimates have suggested that the costs of the breach are more like £60m (U.S. $48M), which wipes out the company’s gross profit of £32m (U.S. $26M) for 2015.
Below is Parliament’s response to the TalkTalk hack.
Given the seriousness of the TalkTalk cyber-attack, the House of Commons’ Culture, Media and Sport Committee investigated the incident and the resulting report was published in June.
The report makes a number of interesting recommendations that compliance professionals may find of interest:
1: The Committee report says that “it is appropriate for the CEO to lead a crisis response, should a major attack arise”. But it adds that “cyber security should sit with someone able to take full day-to-day responsibility, with board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack”. To ensure this issue receives sufficient CEO attention before a crisis strikes, the report recommends that “a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the board.”
2: The Committee report says that in major organisations, where the risks of attack are significant, “the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has been an actual breach.”
3: The report also recommends that “companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively.” As a result, the Committee recommends that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the Information Commissioner’s Office (ICO) on:
Staff cyber-awareness training;
When their security processes were last audited, by whom and to what standard(s);
Whether they have an incident management plan in place and when it was last tested;
What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
The number of enquiries they process from customers to verify authenticity of communications;
The number of attacks of which they are aware and whether any were successful (ie – actual breaches).
Source: Parliament report on TalkTalk
TalkTalk took down its website on 21 October 2015 and informed both customers and the regulator on 22 October—one week after the attack first began. Under the U.K. Data Protection Act (DPA), there is no legal obligation on data controllers to report security breaches—irrespective of how long ago the breach occurred. However, the ICO believes that “serious” breaches should be reported (and promptly), although—yet again—the term “serious” is not defined within the legislation.
In a statement released on 5 October, TalkTalk said that the ICO’s decision was “disappointing,” especially since the company “had cooperated fully at all times.” TalkTalk also pointed out that “there is no evidence to suggest any customers have been impacted financially as a direct result of the attack.”
TalkTalk’s statement also inferred that the company had been disproportionately treated, as other companies that lost customer’s unencrypted financial data received much lower penalties. For example, The Money Shop—a short-term loan company and pawnbroker—was fined £180,000 (U.S. $143,622) in August 2015 for the loss of an undisclosed number of unencrypted customer details (including financial information), while in February 2015 online insurer Staysure.co.U.K. was fined £175,000 (U.S. $139, 633) for the loss of up to 100,000 live credit card details (including security numbers) and medical records, resulting in some 5,000 customers having their cards used by fraudsters. Furthermore, in November 2014 hotel booking website WorldView was fined just £7,500 (U.S. $5,984) after 3,800 customers had their credit card details (including security numbers) stolen by hackers.
However, experts do not share the company’s sense of being hard done by. “For many years, when the ICO’s focus was on encouraging a culture of data security, the regulator was happy if companies engaged with its investigations and took its recommendations seriously. TalkTalk appears to have believed this would still be the case,” says Mark O’Halloran, a partner at law firm Coffin Mew. However, Halloran believes that TalkTalk “was lucky not to be hit with the maximum £500,000 (U.S. $398,950) fine,” adding that the penalty “was a very clear signal to companies handling large quantities of people’s financial and other sensitive data that they need to pick up their game.”
Mark Skilton, a professor of practice at Warwick Business School, also believes that “TalkTalk seems to have got off lightly here,” saying that the size of the ICO’s fine is “insignificant” in respect of the size of the company’s turnover and customer base and “little more than a sting to TalkTalk’s finances.”
“Even by factoring in the reported numbers of 157,000 personal details and, of those, the 16,000 who had bank details stolen, it still only equates to £2.50 (U.S. $1.99) per head or £25 (U.S. $20) per person who lost banking data,” says Prof. Skilton. “The fine seems to be ‘proportionate’ to the impact, but shows little regard for the possible risks and lack of due diligence of a company with four million subscribers.”
The severity of the hack attack on TalkTalk, had it happened two years from now, could have triggered even more punitive fines from the European Union (EU). Under the long-awaited (and debated) EU General Data Protection Regulation (GDPR), which will come into force in May 2018, the fine could have been much higher: potentially 4 percent of global turnover or €20m (U.S. $17M)—whichever is higher—plus a separate fine of 2 percent of global turnover or €10m (U.S. $9M)for failure to comply with breach notifications. “In the case of TalkTalk, that could have been £72m (U.S. $57.5M) based on 2015 turnover. In that respect, the company has got off lightly,” says Gunter Ollmann, CSO of Vectra Networks, a threat management software company.
And according to Emma Wright, commercial technology partner at technology and digital media law firm Kemp Little, signs are that the United Kingdom has every intention of implementing the EU regulation. Karen Bradley MP, the U.K.’s Secretary of State for Culture, Media, and Sport, said at the end of October that the U.K. will be implementing the EU’s General Data Protection Regulation (GDPR)—despite leaving the European Union—and will “then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
“Other companies need to learn from TalkTalk and work on putting their security in-line before the GDPR comes into force,” says John Madelin, CEO at IT security company RelianceACSN. “Most U.K. businesses are unable to answer where their critical data lies, so it’s clear that the next two years are going to be an uphill battle. Unfortunately, with severe breaches happening on a near-daily basis, businesses are unlikely to take heed until something as hefty as GDPR proportions have been issued.”