Yesterday (October 5th) saw two interesting news reports, one made headlines, the other didn’t.
The first report was the fine of £400,000 imposed on Talk Talk following their data breach last October, we first reported on it here.
The fine, the largest imposed by the Information Commissioners Office (ICO) was slightly less than the maximum that they could have levied, and is small change compared to the £42million – and the loss of 101,000 customers – that Talk Talk admit that the breach has so far cost them.
The ICO’s full announcement is here and states that name and address, telephone number and email addresses of 156,656 Talk Talk customers were accessed. Also that some 10% of those customer details included bank sort codes and account numbers.
The stolen data was stored on a database of customers that joined Talk Talk when, in 2009, it acquired the UK operations of Tiscali. The data was accessed by using the relatively simple technique of SQL Injection into a web page.
Talk Talk had already suffered two similar cyber attacks in 2015 that should have highlighted system vulnerabilities.
The Information Commissioner Elizabeth Denham said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
While it was initially thought that the data breach had been committed by cyber terrorists, six people – all under 21 – have been arrested, the latest
The Information Commissioner added:
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.”
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
We would add that it’s key for companies to be aware of what data they store and where.
We can help, our Data Discovery service identifies exactly where data is held, and once your company knows that, it can decide whether the data is still needed and whether appropriate protection is in place.
Yesterday’s second story reported a call centre in the Indian city of Thane that was defrauding American residents to the tune of $150,000 a day and may have scammed over $26.5 million since October 2013.
Some estimates put the total higher at $75 million.
The call centre agents – who had been trained to speak with American accents – posed as US Tax officials and convinced loan defaulters – who are obliged to cooperate with revenue officials – to make interim payments over the phone.
The bank details thus obtained were then used to empty the victims’ bank accounts.
Indian police arrested 750 people, and while most were subsequently released pending further enquiries 70 remain in custody and police believe that they have identified the 9 people responsible for leading the scam.