ICO Issues Record Fine to TalkTalk for Personal Data Breach

Earlier this month, it was reported that internet service provider TalkTalk had been issued with a record £400,000 fine from the Information Commissioner’s Office (ICO) for failing to protect personal data from an easily avoidable cyber-attack. However, under new data protection laws coming into force from May 2018, the scale of the fine for a similar breach could be significantly higher, as fines could be up to 4% of a  business’ global annual turnover (or €20,000,000, whichever is the greater).

The incident itself occurred between 15 and 21 October 2015, with the attackers obtaining the personal information of 156,959 people. This data included customers’ names, addresses, dates of birth, telephone numbers and email addresses and, in the case of 15,656 individuals, their bank account details and sort codes. Whilst these precise figures are now available, at the time of the breach TalkTalk knew neither how much data nor what kind of information had been taken by the attackers.

The database containing the personal information was accessed via three vulnerable webpages inherited from TalkTalk’s acquisition of Tiscali’s UK operations in 2009, which in turn were set up in the 1990s. Simply, these sites were vulnerable to attack because they had not been deleted or maintained.  As cyber security measures have developed over time, these older pages became susceptible to breaches in the ways newer sites are not, which in this case led to teenagers stealing the information from their bedrooms.

The ICO said that TalkTalk should have known of weaknesses in their data protection infrastructure as two further attacks had earlier occurred on 17 July 2015 and between 2 and 3 September 2015. However, a lack of technical and organisational expertise seemingly meant these issues were put to one side.

The ICO concluded that the company was in breach of the seventh data protection principle in the Data Protection Act 1988 which requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of unlawful data and against accidental loss or destruction of, or damage to, personal data.

Under the new EU General Data Protection Regulation, coming into force in May 2018, the fine for a similar breach could be up to 4%of the company’s total worldwide annual turnover of the preceding financial year (or €20,000,000, whichever is the greater).  The current maximum fine a company could face in the UK is £500,000.

This huge jump in potential financial liability shows businesses must take data protection compliance and cyber security seriously, as a breach will soon affect the bottom line and not just reputations and revenues. Companies must regularly consider whether their methods for protecting customer data are sufficient and fit for purpose and have in place the relevant infrastructure to secure their data.  The ICO’s record fine is clearly sending a message that, as reiterated by ICO Commissioner Elizabeth Denham, “cyber security is not an IT issue, it is a boardroom issue“.