TalkTalk has been slapped with a record £400,000 fine by the UK’s Information Commissioner’s Office for security failings related to last year’s cyber attack.
The ICO said the operator could have prevented the attack if it had taken “basic steps” to protect customers’ information.
Almost 157,000 people had their personal details accessed by the hacker in October last year after TalkTalk’s website was breached.
In 15,656 cases, the attacker also got access to bank account details and sort codes.
The ICO said TalkTalk failed to properly scan part of a legacy customer database for possible threats.
TalkTalk “was not aware” that the software was outdated and no longer supported by the provider, it added.
The investigation found that the attacker used SQL injection to access the data, which it described as “a common technique that...is well understood, defences exist and
TalkTalk ought to have known it posed a risk to its data”.
The ICO confirmed that the operator was being charged for breaching the UK Data Protection Act.
Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.
“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
TalkTalk, which has previously said the attack cost it 95,000 subscribers and halved its full-year profits, unveiled a new strategy designed to regain the trust of consumers earlier this week.
“TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers,” it said in a statement.
“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset.
“This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.”
A separate criminal investigation by the Metropolitan Police remains ongoing.
Denham added: “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue.
“Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”