6 October 2016
The Information Commissioner’s Office (‘ICO’) announced, on 5 October 2016, that it had issued a record £400,000 fine to TalkTalk Telecom Group Plc in relation to a cyber attack in October 2015, which resulted in the personal information of over 150,000 customers being accessed. In particular, bank account numbers and sort code details of 15,656 of those customers were also obtained.
Eduardo Ustaran, Partner at Hogan Lovells LLP, told DataGuidance, “The Information Commissioner, Elizabeth Denham, has nailed it by saying that cybersecurity is not an IT issue, but a boardroom issue. Sanctions are bound to increase until they become a big enough motivator. In a way, businesses have a grace period at the moment until the fines really start to bite under the General Data Protection Regulation. Not every data incident is a breach of the legal requirements, but when the risks are ignored, regulators will be sure to act with all their force. The drill should be well known by now: assess, prepare and respond.”
During its investigation, the ICO found that the attack exploited vulnerabilities in three webpages which it operated following a 2009 acquisition of the UK operations of Tiscali. The vulnerability allowed access to a database which held customers’ personal data including names, addresses, dates of birth, phone numbers, email addresses and financial information. The ICO found that the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information” and that, as a result, it violated the seventh principle of the Data Protection Act 1998 (‘the DPA’).
In a way, businesses have a grace period at the moment until the fines really start to bite under the General Data Protection Regulation. Not every data incident is a breach of the legal requirements, but when the risks are ignored, regulators will be sure to act with all their force
In reaching its decision regarding the amount to be issued, the ICO noted that it took into account mitigating factors such as notification to the ICO, remedial action TalkTalk had taken and the impact of a penalty on the company’s reputation. Despite these factors, the ICO was satisfied that, due to the number of data subjects affected, the nature of the financial information which was accessed and the possible consequences in relation to the same, there had been a contravention of a kind which was likely to cause substantial damage or distress as required by Section 55A of the DPA for the imposition of a monetary penalty. In addition, although the contravention was not deliberate, the ICO found that TalkTalk had failed to monitor and implement appropriate technical and organisational measures to ensure that such a cyber attack could not occur.
Denham highlighted, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action. In spite of its expertise and resources, when it came to the basic principles of cybersecurity, TalkTalk was found wanting. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
Alexis Kateifides | Privacy Analyst