Last week TalkTalk was fined £400,000 by the Information Commissioner's Office (ICO) for breaching the Data Protection Act. This is the largest fine, to date, that the ICO has imposed – which emphasises the seriousness of the breach.

Back in October 2015, three webpages which TalkTalk controlled (due to acquiring Tiscali in 2009) were subject to a cyber attack. This cyber attack meant that the personal data of 156,959 customers was accessed; in 15,656 instances the attacker gained access to bank account details. Other types of data accessed included: names; addresses; dates of birth; phone numbers; e-mail addresses; and financial information.

TalkTalk became aware of the cyber attack and shut down its webpages. After which, they reported the breach to the ICO. Reporting the breach to the ICO is an obligation on service providers, such as TalkTalk, as set out in Regulation 5A(2) of the Privacy and Electronic Communications Regulations (PECR).

At this stage, due to the seriousness of the breach, the public were informed. This information was publicised due to Regulation 5A(3) of the PECR – as it states that subscribers should be informed of a breach that could "adversely affect their personal data".

Consequently, the House of Commons raised the data breach as an "Urgent Question". The House launched its own investigation into the cyber attack, considering how the consequences of this breach would affect service providers in general. It heard from several individuals during the period of investigation, including the Chief Executive of TalkTalk, the Information Commissioner, and the ICO Group Manager for Technology.

Although the House of Commons issued a report on their inquiry in June 2016, the ICO continued with their own investigation.

The ICO found that TalkTalk had failed to remove the webpages that enabled the hackers to access the customers' personal data. The ICO also recognised that the database software used by TalkTalk was out of date. The bug that allowed the hackers to access the data had a "fix" that was made available three and a half years before the breach occurred. Furthermore, TalkTalk failed to ensure their computer systems security were protected from vulnerabilities. More damning information uncovered by the ICO investigation was that TalkTalk had been subject to two similar types of attack (SQL injection attacks) previous to the October 2015 cyber attack – on which the company had failed to take any action.

The ICO investigation found that TalkTalk had breached the seventh principle of the Data Protection Act, – failing to implement "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

On top of the £400,000 fine due to the ICO, it has been revealed that the cyber attack reportedly cost TalkTalk £42 million – with the company losing hundreds of thousands of subscribers. Police are currently investigating the cyber attack, but they have already arrested six people in connection with it.

© MacRoberts 2016

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.