TalkTalk fine: Firm will have to pay only £320,000 if it coughs up early

Pay by 1 November and receive £80,000 saving

TalkTalk will have to pay only £320,000 to the Information Commissioner's Office (ICO) if it pays the fine by 1 November.

The ICO levied a fine of £400,000 against the company after the 2015 attack on its systems that led to thousands of customers having their data stolen.

However, as per the usual ICO fining mechanism, if TalkTalk does not appeal against the ruling and pays before the end of the month the amount is reduced by 20 per cent, to £320,000.

V3 contacted TalkTalk to confirm whether it intends to appeal or pay the fine before the 1 November deadline, but the company declined to comment.

A TalkTalk statement did say that the firm is "disappointed" with the ICO's decision, but stopped short of suggesting that it will launch an appeal.

"We continue to be respectful of the important role the ICO plays in upholding the privacy of consumers," TalkTalk added.

The ICO handed down the fine after ruling that the company failed to implement "the most basic security measures" to prevent the hack on the firm last year.

The TalkTalk breach occurred in October and hackers made off with the personal data of 156,959 customers, including names, addresses, dates of birth, phone numbers and email addresses. The attacker also had access to bank account details and sort codes in 15,656 cases.

The ICO has cast its critical eye over the breach, which cost the telecoms firm 95,000 customers, and announced on Wednesday that it has imposed a record £400,000 fine.

"In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting," said new information commissioner Elizabeth Denham.

"Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."

The watchdog noted that the breach came about after an attack on three vulnerable web pages in the infrastructure that TalkTalk inherited from Tiscali's UK operations in 2009.

Ofcom criticised the ISP for "failing to properly scan" the infrastructure for potential threats and being unaware that the installed version of the database software was outdated and no longer supported by the provider.

"The company said it did not know at the time that the software was affected by a bug, for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible," the ICO noted.

The ICO also said that TalkTalk should have had defences in place to prevent hackers using SQL injection to access data, pointing out that two SQL injection attacks exploited the same vulnerabilities earlier in 2015.

Denham said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease.

"Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.

The ICO is currently investigating the Yahoo mega-hack that that reportedly affected eight million people in the UK.