So what exactly happened? Well, the information was taken from a database that TalkTalk obtained as part of its Tiscali acquisition in 2009. According to the ICO, TalkTalk failed to investigate its new asset properly -- three vulnerable webpages slipped through the cracks, because of outdated database software that was no longer supported by the developer. A patch had already been issued, but neither Tiscali or TalkTalk had applied it. "Had it been fixed, this (hack) would not have been possible," the ICO claims. In the third week of October 2015, the attacker(s) then used a technique called SQL injection to obtain the data.
"When it came to the basic principles of cyber-security, TalkTalk was found wanting," Denham said. "Today's record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers."
The hack has taken a hit on TalkTalk's profits and subscriber numbers. To recover, the company is attempting a major reboot with new branding, packages and customer guarantees. But shaking its tarnished image will be easier said than done. As the Guardian reports, TalkTalk's new, simplified tariffs -- which bundle line rental into a single monthly fee -- come at the expense of its legacy plans. Around half of its customers will be hit with price increases unless they switch to one of its new packages.
TalkTalk says it's "listened hard" to customer feedback. "People are fed up of confusing packages and loud advertising, they're frustrated with deals which shoot up mid contract, and they hate seeing the best deals saved for new customers," Tristia Harrison, TalkTalk's Consumer Managing Director said. Let's hope they've listened just as hard to the ICO's criticisms.