Out-Law / Your Daily Need-To-Know

Record £400,000 fine for TalkTalk following data breach

Out-Law News | 05 Oct 2016 | 2:59 pm | 1 min. read

The UK's data protection watchdog has issued TalkTalk with a record fine of £400,000 for a major data breach the company experienced in 2015.

TalkTalk was the target of a "significant and sustained" cyber attack in October last year during which the personal data of approximately 157,000 customers was compromised. The Information Commissioner's Office (ICO) investigated the incident and has now announced that it found a number of "inadequacies" with the company's data security practices.

The "matters of serious oversight" included operating outdated software and not undertaking "appropriate proactive monitoring" for system vulnerabilities, the ICO said in a monetary penalty notice (17-page / 2.30MB PDF) issued to the company.

TalkTalk "failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data", in a serious breach of the Data Protection Act, the ICO said.

The watchdog has the power to issue fines of up to £500,000 for such breaches under the Act.

Information commissioner Elizabeth Denham said: "TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."

“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers," Denham said.

TalkTalk's sanction is greater than the previous highest fine of £325,000 issued by the ICO against an NHS Trust in 2012.

In a statement, TalkTalk said: "TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers."

"During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business. As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time."