The Information Commissioner’s Office (ICO) initially requested a fine of £400,000 for TalkTalk’s 2015 SQL injection assault, which exposed the personal information of over 150,000 users (later settled under agreement for £320,000).
Along with the SQL injection vulnerability, the ICO’s investigation cited a number of other cyber security lapses, including two prior SQL injection attempts on the same web pages that went undetected because of a lack of monitoring. To make matters worse, the compromised customer data was kept in a legacy database that was over three years old and lacked a security update provided by the vendor.
For more than 20 years, code injection attacks have been a recognised, recurrent weakness, and any efficient safe development process would have called this out.