It was one of the biggest stories of 2015. The British Telecommunications company TalkTalk suffered what at the time was one of the worst data breaches ever recorded. The total number of customer records stolen was approximately 157,000 and the cost to the business was nearly £77m. The number of customers was nearer 4 million according to initial claims, however this proved to be inaccurate.
The hackers targeted the company’s websites and compromised extremely sensitive customer information. The information included names, addresses, dates of birth and most noteworthy bank account and sort code details.
Once the details were stolen by one of the offenders, he passed them onto a friend to sell on to other hackers for financial gain. At the time they also tried to sell details of the vulnerability.
TalkTalk Hack = Jail
Fast forward to 2018 and the hackers at the centre of the breach are now in jail.
Both of the offenders, now 23 and 21, are living at Her Majesty’s pleasure for 12 months and 8 months respectively. The ICO also issued a then record fine to TalkTalk of £400,000 for poor cybersecurity practice. This would without doubt be a lot higher today under the new GDPR legislation.
This poor cybersecurity practice was actually the failure of TalkTalk to prevent SQL injection attacks on their website. A relatively simple process to extract information from unsecured web applications.
At the time of the hack, the offenders would have been in their late teens and very early twenties. It therefore goes to show that with just a little bit of know-how and willing, relatively inexperienced people can and will attempt to steal data.
It can be difficult to attribute an exact cost figure to TalkTalk following the breach but £77m seems accurate.
The actual fine from the ICO was relatively small and worked out at only 0.52% of the overall cost to the business. It was the brand damage and loss of custom that really hurt TalkTalk.GO BACK