Talk (Talk) is not cheap - record fine for data breach
06 October 2016
Speak of making an entrance. Within a few weeks of her new appointment as the new UK Information Commissioner, Elizabeth Denham has issued TalkTalk with a £400,000 monetary penalty notice, the biggest fine yet awarded by the ICO.
Speak of making an entrance. Within a few weeks of her new appointment as the new UK Information Commissioner, Elizabeth Denham has issued TalkTalk with a £400,000 monetary penalty notice, the biggest fine yet awarded by the ICO.
Ms Denham makes no secret of the fact that the record fine is intended to send a message that cyber security is an issue for boardrooms, not IT departments holed up in their basements. And she’s probably got their ear.
The fine was issued following a cyber attack which took place a year ago where personal data of 156,959 customers were accessed. Those data included their names, addresses, dates of birth, phone numbers and email addresses. And, in 15,656 cases, their financial information too.
The cause was apparently a vulnerability in webpages and an underlying database due to a bug in outdated software. Those webpages were part of Tiscali’s infrastructure, bought by TalkTalk in 2009. But as TalkTalk was not aware of those webpages, they were not secured or removed, despite a fix for the bug being made available by the software supplier a number of years before the attack.
Ms Denham took the view that those failures were a serious oversight and, as such, contravened the seventh data protection principle. This requires organisations to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data. It was also a breach of the fifth principle because the data were kept for longer than necessary.
Although Ms Denham took into account a number of mitigating factors ranging from reporting the incident, being cooperative, notifying customers and offering them 12 months of free credit monitoring, ultimately she decided that TalkTalk could afford to pay the fine. But in a country waking up to group litigation for data protection claims, and where compensation can now be awarded for distress alone, the cost to TalkTalk is unlikely to stop there.
For further discussion, please contact Ali Vaziri