ICO issues record £400,000 monetary penalty notice for TalkTalk data breach

The Information Commissioner has issued a record £400,000 monetary penalty notice to TalkTalk Telecom Group plc for failing to keep personal data secure, in breach of the Data Protection Act 1998.

Speedread

The ICO's investigation found that TalkTalk had failed to have appropriate security measures in place which could have prevented the cyberattack.

Background

The Information Commissioner has the power to impose a civil monetary penalty (up to a maximum of £500,000) for serious contraventions of the Data Protection Act 1998 (DPA) under section 55A of the DPA

The seventh data protection principle (Part 1, Schedule 1 to the DPA) provides that "[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Facts

A hacker managed to access the personal data of 156,959 customers, which included their names, addresses, dates of birth, phone numbers and email addresses. In relation to 15,656 of these customers, the hacker was able to access bank account details and sort codes.

Back in 2009, TalkTalk acquired Tiscali's UK operations, whose setup included webpages which were still available via the internet in 2015. This meant that the hacker was able to access a database which held customers’ personal information.

The hacker was therefore able to extract personal details of TalkTalk’s customers from the database using a well-known technique called a “structure query language injection” between 15 and 21 October 2015.

Two earlier attacks in July and September 2015 should have alerted TalkTalk to the vulnerability of this data. Despite a fix for the bug being available for three and half years, TalkTalk explained that it was not aware that the database software was no longer supported by the provider, nor that it was affected by a bug. If the fix for the bug had been used by TalkTalk, the hacker would not have been able to bypass access restrictions.

Criminal proceedings against a teenager (accused of hacking and then attempting to blackmail TalkTalk) continue separately.

Decision

The ICO found that TalkTalk failed to have appropriate security measures in place to protect the personal data it was responsible for. This was in breach of the seventh principle of the DPA.

It is all the more important to implement adequate security measures to protect personal data when financial information is concerned, especially when customers expect that their information will be held securely.

Although the hack was a criminal attack, it had apparently gone unnoticed by TalkTalk to have adequately robust security in place. In addition, it was found that due to TalkTalk’s abundant financial and staffing resources, there was no excuse for failing to take reasonable steps to prevent the breach.

Comment

This case sends a strong message to businesses of the importance of keeping personal data secure, particularly financial information. Failure to do so can cost customers, money and reputation. It was reported that the attack had cost TalkTalk £42 million and led to the loss of 101,000 subscribers.

The Commissioner emphasised that cybersecurity should not be seen as an IT issue but a boardroom issue. Businesses must be diligent and vigilant in the protection of personal information,

The Information Commissioner (Elizabeth Denham) has warned businesses that they must be both diligent and vigilant in protecting personal information, not only given their legal obligations, but also because of their duty to customers. As an employer, ensure that you take all reasonable steps so that customer information is kept secure and complete regular checks on your databases to ensure they are free from bugs and viruses.

The ICO has published best practice guidance on avoiding common IT security vulnerabilities that lead to data security breaches, which can be found on their website.

CONTACT KEELY

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Keely Rushmore on 01727 798046 

© SA LAW 2020

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.

Read the latest Employment Views & Insights
They seek to understand their clients and advise accordingly to achieve the outcomes that they require for their business needs.
Chambers and Partners
SA Law Work Life red mug and glasses
Stained glass window Employment SA Law
Views & Insights
Coronavirus Job Retention Scheme: Key changes between July – October 2020

Keely explores the key changes to the Covid-19 related furloughing that are set to impact employers and employees between July-October 2020.

Read More
Stained glass window Employment SA Law
Views & Insights
Coronavirus Job Retention Scheme (CJRS) Direction and Extended Deadline

The Coronavirus Job Retention Scheme will be extended to 30 June 2020, plus The Treasury has also issued a Direction to HMRC which provides legally binding…

Read More
Stained glass window Employment SA Law
Views & Insights
COVID-19 Right to Work Checks Adjustment

Adjustments made to Right to Work Checks process for employers during COVID-19.

Read More
Phone Box with Man in a Bowler Hat
As there is so much expertise on offer from SA Law they can provide a legal expert on all areas so that it can be handled under one roof.
Legal 500
Stained glass window Employment SA Law
Views & Insights
Updated Furlough Guidance provides clarification for employers

Over the weekend the government updated its guidance for employers on the Coronavirus Job Retention Scheme (CJRS) - Keely Rushmore reports.

Read More
Stained glass window Employment SA Law
Views & Insights
FAQs Furloughing Employees / Job Retention Scheme

Frequently asked questions on Furloughing Employees to help employers, line managers and employees – answered by SA Law’s employment team.

Read More
SA Law Red arrow neon light image
Views & Insights
Data protection and school photographs

ICO shares guidance following two schools being reprimanded for distributing photographs of pupils without parents’ consent.

Read More
Views & Insights
Measures to help self-employed in light of Covid-19

Christine Caffrey explains the UK government’s measures to assist the five million self employed people in the UK through business disruption due to corona…

Read More
They are knowledgeable, with a commercial mindset, but also down to earth and friendly so it is easy to be very honest with them.
Chambers and Partners