TalkTalk hack: Firm settles ICO fine for £320,000

Saves £80,000 by coughing up early

TalkTalk has saved £80,000 by paying a £400,000 fine from the Information Commissioner's Office (ICO) before the 1 November deadline, thereby reducing the penalty by 20 per cent.

This means that TalkTalk paid £320,000 for the breach in November 2015 that affected thousands of customers.

The ICO confirmed to V3 that the payment was received before the cut-off date and that the company was therefore entitled to the standard 20 per discount that applies to all ICO fines.

The £400,000 penalty was issued last month and is the largest the ICO has handed out to date. New information commissioner Elizabeth Denham said at the time that the size of the sum underlines the seriousness of the incident.

"TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease," she said.

"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

The ICO explained that TalkTalk should have had defences in place to prevent hackers using SQL injection to access data, pointing out that two SQL injection attacks exploited the same vulnerabilities earlier in 2015.

"The company said it did not know at the time that the software was affected by a bug, for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible," the ICO noted.

Thousands of customers left TalkTalk after the hack, and the firm has taken a financial hit of £60m.

A 19-year-old has since appeared in court in relation to the incident accused of demanding payment of 465 bitcoins, worth around £216,000, from TalkTalk to stop the attack.