TalkTalk to get 20 per cent discount on fine for 2015 security breach - if it pays by 1 November

TalkTalk could cut ICO's record £400,000 fine for security breach by paying fine rather than appealing

TalkTalk will get a 20 per cent discount on the £400,000 fine levied today by the Information Commissioner's Office (ICO) if it pays-up by 1 November.

The ICO levied the fine in punishment for the 2015 hack on its system that led to thousands of customers having their personal and, in some case, financial data stolen.

However, as per the usual ICO fining mechanism, if TalkTalk does not appeal the fine and pays before the end of the month the amount will be reduced by one-fifth to £320,000.

Computing contacted TalkTalk to find out whether it intends to appeal or to pay the fine before the deadline, but it declined to comment.

A statement from the company said that it was "disappointed" with the ICO's decision but stopped short of suggesting that it would appeal. "We continue to be respectful of the important role the ICO plays in upholding the privacy of consumers," it added.

The ICO handed down the fine after it ruled that the company had failed to implement "the most basic security measures" to prevent the hack it suffered last year.

The TalkTalk breach occurred in October 2015 and the hackers made off with the personal data of 156,959 customers including names, addresses, dates of birth, phone numbers and email addresses. The attackers also gained access to bank account details and sort codes in 15,656 cases.

After casing its critical eye over the breach, which cost the company 95,000 customers that it is still struggling to win back, it announced today that it has imposed a record £400,000 fine.

"In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting," said new information commissioner Elizabeth Denham. TalkTalk's highly paid CEO Dido Harding did not cover herself in glory in her, or the company's, response to the security breach either.

"Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."

The watchdog noted that the breach came about after an attack on three vulnerable web pages in the infrastructure that TalkTalk inherited from Tiscali's UK operations in 2009.

Ofcom criticised the ISP for "failing to properly scan" the infrastructure for potential threats and being unaware that the installed version of the database software was outdated and no longer supported by the provider.

"The company said it did not know at the time that the software was affected by a bug, for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible," the ICO noted.

The ICO also said that TalkTalk should have had defences in place to prevent hackers using SQL injection attacks to access data, pointing out that two SQL injection attacks on the company had exploited the same vulnerabilities earlier in 2015.

Denham said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease.

"Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.

The ICO is currently investigating the Yahoo mega-hack that reportedly affected eight million people in the UK.