TalkTalk has been slapped with a record fine of £400,000 for failing to prevent a cyber attack last year.
The Information Commissioner's office has handed out the largest ever fine to the telecoms firm which suffered one of the most high profile attacks ever experienced by a business in the UK.
The data regulator said it did not do enough to protect customer data at even a basic level. More than 150,000 customers had their details stolen;, including bank account numbers, birth dates and addresses.
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease" said the information commissioner Elizabeth Denham.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
An investigation by the ICO found hackers gained access to the database of details which it had from its acquisition of Tiscali via vulnerable web pages which it had not spotted.
TalkTalk was not aware there was a bug which could let a hacker bypass the restricted access and so did not fix it with the relevant patch.
It also avoided "two early warnings" before the hack which would have signalled the hole in its security.
"The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data," said the ICO.
“In spite of its expertise and resources, when it came to the basic principles of cyber security, TalkTalk was found wanting," said Denham.
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”