Record fine for TalkTalk for serious data breach

The Information Commissioner's Office (ICO) has fined TalkTalk a record £400,000 for a serious breach of the Data Protection Act 1998 after a cyber attack resulted in the theft of the personal data of 156,959 customers.¹  By operating outdated software affected by a bug, TalkTalk had failed to take appropriate technical and organisation measures against unlawful processing of personal data, in contravention of 7th data protection principle. The decision highlights the ever-increasing importance of robust cyber security practices.

 TalkTalk timeline

• 15 – 21 October 2015: cyber attacks
• 22 October 2015: TalkTalk reports potential data breach to ICO. ICO initiates preliminary investigation
• 23 October 2015: TalkTalk begins to notify public. Attack is covered by major news outlets across the world
• 26 October 2015: TalkTalk breach is subject of Urgent Question in House of Commons (HoC)
• 3 November 2015: HoC committee launches inquiry
• 15 December 2015: inquiry hears evidence from TalkTalk chief exec
• 27 January 2016: ICO gives evidence to inquiry
• 20 June 2016: HoC committee publishes report
• 30 September 2016: ICO issues monetary penalty notice

Tiscali acquisition

In 2009, the TalkTalk group acquired Tiscali. The group was unaware that Tiscali's infrastructure included old webpages, still available online in 2015, which provided access to a large customer database. The database software was outdated. It was affected by a bug that allowed restrictions to the database to be bypassed. The bug was first announced in 2012 when the software provider offered a fix. However, the fix was not implemented on the Tiscali websites and the database remained vulnerable.

Between 15 and 21 October, a cyber attacker exploited the vulnerability of three webpages. The attacker:

• obtained contact details for 156,959 customers
• of these, obtained bank details for 15,656 customers

The 7th data protection principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Record fine

The ICO held that TalkTalk had failed to comply with the 7th data protection principle (see box) in using outdated and vulnerable database software. TalkTalk's ignorance of the issue was not a defence: the group should have taken proactive steps to ensure appropriate technical measures were in place. The ICO issued a record fine of £400,000 (reduced to £320,000 if paid promptly in full).

House of Commons report

In its recent report on cyber security and personal data, the HoC referenced TalkTalk. Calling for a step change in consumer awareness concerning online and telephone scams, the HoC expressed regret that, "some eight months after the breach, customers are no closer to a clear understanding of what happened." ² The HoC called for a step change in consumer awareness concerning online and telephone scams.

Taking cyber security seriously

What emerges from the TalkTalk fine is a clear message that organisations must take active responsibility for the personal data they process to ensure that it is well-protected from cyber attacks. This means regularly reviewing the data that is held, how it is used and how it is protected. Under the forthcoming General Data Protection Regulation (GDPR), the fining regime will be much more robust (click here to see our new Quickguide to the General Data Protection Regulation). Instead of a cap of £500,000, the ICO will be entitled to fine four per cent of a company's worldwide turnover or €20,000,000 (if greater) for serious breaches of the Regulation.

Notes

1. For more information and a link to the decision, see here.
2. You can read the HoC's report here.