ICO Issues Record Fine against TalkTalk following Hacking of Customer Data
On 5 October 2016 the Information Commissioner’s Office (ICO) ordered the telecoms group TalkTalk to pay a fine of £400,000. The fine was issued as… Read more
On 5 October 2016 the Information Commissioner’s Office (ICO) ordered the telecoms group TalkTalk to pay a fine of £400,000. The fine was issued as a result of a data breach that took place between the 15 and 21 of October 2015 when hackers accessed the company’s customer data. The attack compromised the personal information of 156,959 TalkTalk customers, including their names, addresses, dates of birth, phone numbers and email address.
The hackers were able to access the data via three vulnerable webpages that were part of an old infrastructure that was inherited by TalkTalk as part of an acquisition in 2009. TalkTalk did not know that the database software was outdated and that it was no longer supported by the provider because it failed to scan it properly. The relevant software was affected by a bug which enabled the hackers to bypass access restrictions, however, an easy fix would have been available.
The ICO’s investigation concluded that these failures by TalkTalk, which led to the data breach, constituted a breach by TalkTalk of the Seventh Principle of the Data Protection Act (DPA) because it did not have in place appropriate security measures to protect the personal data for which it was responsible.
The £400,000 fine is the largest fine ever issued by the ICO, which at present has the ability to issue fines as high as £500,000.
Kemp Little’s Head of Data Protection & Privacy, Nicola Fulford, was in attendance when the fine was announced by the Information Commissioner, Elizabeth Denham. Denham indicated that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” She emphasised that although hacking is not defensible, it “is not an excuse for companies to abdicate their security obligations”. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action” she added.
The fine is a clear signal by the ICO that the onus is on businesses to take greater steps to protect their customers’ personal data. According to Denham, the record fine represents a “warning to others that cyber security is not an IT issue, it is a boardroom issue” and represents a “duty to their customers.”
It should be noted that the ICO’s investigation into TalkTalk’s data breach was specifically regarding whether or not it breached the DPA only. A separate criminal investigation is also currently being conducted.
For an analysis of the report by the UK’s Culture, Media and Sport Committee on the TalkTalk data breach, which preceded the issuance of the ICO fine, please refer to an article by Kemp Little’s experts Nicola Fulford, Partner and Head of Data Protection and Privacy and Emma Wright, Commercial Technology Partner, entitled “Report into TalkTalk breach highlights security concerns” originally published in E-Commerce Law and Policy in July 2016, and available here.