In October 2015 TalkTalk became the victim of a cyber attack that resulted in the personal details of 156,959 customers being accessed, including the bank account number and sort code of 15,656 customers.
The ICO’s investigation
The cyber attack, which exploited vulnerabilities of three webpages operated by TalkTalk following its acquisition of the UK operations of Tiscali in 2009, allowed the cyber attackers access to an underlying database holding customers' personal details. Following TalkTalk’s report of the breach to the ICO, the ICO launched an investigation.
The ICO’s investigation was focused on whether or not TalkTalk had complied with Principle 7 of the Data Protection Act 1998 (the DPA) which requires data controllers to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. As a result of its investigation, the ICO found that:
- TalkTalk had failed to remove or otherwise secure the three webpages
- the database software used was outdated and was affected by a bug for which a fix had been available for over three and a half years but had not been applied
- TalkTalk failed to undertake proactive monitoring to discover the vulnerabilities
- there had been two previous attacks of the same type but TalkTalk did not take any action as a result of lack of monitoring
- the loss of customers’ personal data was likely to be distressing to those customers and had the potential to cause damage (for example, fraud).
The fine
The ICO found that TalkTalk failed to comply with Principle 7 of the DPA despite having the necessary financial and personnel resources. Consequentially, the ICO has levied a fine of £400,000 - the largest ever issued by the ICO. Whilst the fine is not the maximum £500,000 which can be issued by the ICO, it highlights the seriousness with which the ICO considers TalkTalk's failures to comply with its obligations as a data controller under the DPA.
Given the number of customers impacted by the breach and the ease with which the cyber attackers were able to exploit vulnerabilities to gain access to the database, the amount of the fine is not surprising but will undoubtedly raise the question as to whether it will be the subject of an appeal by TalkTalk.
What does this mean for businesses?
“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers." – Elizabeth Denham, Information Commissioner (5 October 2016)
In protecting against cyber attacks and ensuring the security of data, businesses should recognise that no system is unhackable and should build their technical and organisational measures taking into account the type of data they hold. The findings of the ICO's investigation reinforce the need to ensure the regular and systematic review of the measures put in place to secure and protect the data. With cyber attacks becoming more prevalent, businesses should also ensure that they have in place appropriate crisis management strategies should they become the victim of a cyber attack.
This record fine is also a stark reminder to businesses of the need to comply with the DPA. Compliance with the DPA and information security is not an issue solely for the IT or legal departments but is a business-wide issue – for many businesses this means a fundamental cultural shift that will become increasingly important as businesses move towards being compliant with the General Data Protection Regulation that comes into force in May 2018.