TalkTalk fined a record £400,000 over cyber attack on customer data
TalkTalk has been handed a record £400,000 fine for security failings that allowed customers' data to be accessed "with ease" in a cyber attack.
The Information Commissioner's Office said the attack in October last year could have been prevented if TalkTalk had taken basic steps to protect customers' information.
Personal data of 156,959 customers, including names, addresses, dates of birth, phone numbers and email addresses was said to have been accessed.
The ICO said that in 15,656 cases , the attacker had access to bank account details and sort codes.
Information commissioner Elizabeth Denham said: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease.
"Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."
ICO investigators found that the cyber attack took advantage of technical weaknesses in TalkTalk's systems
The attack was said to have used a common technique known as SQL injection to access the data.
SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.
Ms Denham added: "In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting.
"Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
"Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."
TalkTalk said in a statement: " TalkTalk has co-operated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.
"During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset.
"This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business."
A police investigation into the alleged hack and data theft has been running separately.
:: Two people, a 17-year-old youth and a 19-year-old man, have been charged in relation to the alleged hack and data theft.