TalkTalk: ICO issues record fine
The ICO has issued a record £400,000 fine to TalkTalk for failing to keep personal data secure in breach of the Data Protection Act 1998 (DPA).
In October 2015, a hacker accessed the personal data of 156,959 TalkTalk customers including names, addresses, dates of birth, phone numbers and email addresses, as well as bank details of over 15,000 customers. The data was obtained through an attack on vulnerable web pages inherited from TalkTalk’s acquisition of Tiscali’s UK operations in 2009, which enabled access to a database holding customer information. The Tiscali system had been left vulnerable to a SQL injection attack, which could have been easily avoided through a well-known software fix.
The ICO investigation found that TalkTalk had failed to implement even the most basic cyber security measures. The ICO noted that TalkTalk was not aware that its database software was outdated and that it was affected by the SQL bug. But it ought to have known about and defended against the attack, having been subject to two similar attacks in 2015 which exploited the same vulnerabilities in the webpages.
Why is this important?
The record fine shows that the new Information Commissioner, Elizabeth Denham, is looking to take a robust approach to enforcement ahead of the introduction of the GDPR in May 2018. Denham said the record fine is “a warning to others that cyber security is not an IT issue, it is a boardroom issue”. Although the fine is high, it pales in comparison to the commercial damage suffered by TalkTalk, including reported costs of £60m and the loss of 101,000 customers. And penalties could soon be much higher. Under the GDPR, national regulators will be able to impose fines of up to €20m or 4% of total worldwide annual turnover. Not to forget also the potential for individual claims for distress, which could eclipse any fine in the event of an effective class action.
Any practical tips?
Take extra care when using inherited technology, and consider building out your warranties and representations when acquiring companies with existing tech infrastructure (with a particular focus on levels of data security). In any event, ensure that all software is updated with the latest patches and bug fixes and that staff are trained to be vigilant and to escalate security issues appropriately, and without delay. Above all, use the time left before the introduction of the GDPR to audit for weaknesses. The new data regime is unlikely to have much sympathy for this type of data breach in the future, and consumers are likely to talk with their feet if they think that they can’t trust you with their personal information.