Last years, hackers broke into the UK ISP TalkTalk and stole the personal information of over 157,000 people. Among the records stolen were bank details, including sort codes and account numbers. It was Christmas for identity thieves.
Today, the UK’s Information Commissioner’s Office (ICO) fined TalkTalk a record £400,000 (slightly more than $500,000). This was the largest amount any company has been fined after losing customer data, and is far more than the £250,000 that Sony was fined in the aftermath of the 2011 PlayStation Network hack.
Explaining their decision, the Information Commissioner Elizabeth Denham said that the “failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“[hacking] is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information.”
When you read the ICO’s report, you get a sense of the staggering negligence that allowed this data breach to take place. Put simply, TalkTalk was sleeping on the job.
There were three different webpages that were vulnerable to an SQL injection attack. This particular category of vulnerability is easy to mitigate against, but TalkTalk had failed to scan these webpages for them. It’s likely that the company was oblivious as to their existence, and to the fact that they had access to TalkTalk’s customer database.
And now, TalkTalk has been punished. Kinda.
£400,000 sounds like an awful lot of money. I suppose that it is to most people. But TalkTalk is a company with revenues of £1.795 billion ($2.25 billion), and the fine boils down to £2.50 (or $3.20) for each person caught up in the leak. By every definition, it’s chump change.
It doesn’t begin to compare to the stress those caught up in the breach have faced. These 157,000 victims are now at a heightened risk of falling victim to financial crime or phishing attacks. They now have to indefinitely monitor their credit for any irregularities.
Am I alone in thinking that the punishment doesn’t quite match the crime? Goddammit, I want heads to roll.
I want to see TalkTalk – and other companies that screw up so egregiously – to hurt. I want the fines to actually be a punishment, rather than another cost of doing business. And I want the people whose screw-ups are responsible for the breaches to face actual personal consequences.
Company directors can face jail time in cases of corporate manslaughter. If someone screws up so badly, over 100,000 people need to invest in credit monitoring, then surely that person should also face some kind of repercussion?