Out-Law / Your Daily Need-To-Know

TalkTalk warns all 4m of its customers about a potential data breach

Out-Law News | 23 Oct 2015 | 11:46 am | 2 min. read

TalkTalk has warned all 4 million of its customers that their personal data may have been compromised following a "significant and sustained" cyber attack on the company's website.

The telecoms operator said the Metropolitan Police Cyber Crime Unit had launched a criminal investigation into the attack, which started on Wednesday.

TalkTalk said that it is as yet unsure whether the attack led to the loss of customer data and, if so, how many of its subscribers have been affected. However, it said that it is possible personal data including names, addresses, dates of birth, email addresses, telephone numbers, account information and credit card and bank details were accessed by the attackers.

"The investigation is ongoing, but unfortunately there is a chance that some … data may have been accessed," a TalkTalk statement said. "We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed."

"We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future," it said.

TalkTalk said it was contacting its customers to advise them of the incident and had "taken all necessary measures to secure our website following the attack". Customers have been offered free credit monitoring services and major banks have been contacted and they are monitoring for "suspicious activity" on TalkTalk customers' accounts, the company said.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), has also been notified of the potential breach of personal data, TalkTalk said. The company said, however, that it has not breached the Data Protection Act. It said it has been the victim of "a criminal attack".

An ICO spokesperson said: "The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the police. Any time personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings."

Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The telecoms industry will be urgently grappling  with the challenges this latest large-scale data breach flags-up. TalkTalk are being very upfront with customers about the scale and significance of the breach. Being straightforward with customers and offering effective guidance about risk control steps will help TalkTalk to limit the impact on both customers and brand."

"But this is just one of a range of similar attacks on high street names this year and is more evidence of the increasingly sophisticated nature of hackers. It demonstrates that telecoms and other utilities, holding huge amounts of data, are particularly exposed to this damaging activity. The increasing involvement of well-funded state, criminal and terror networks underlines the increasing importance of developing sophisticated defences with audits of IT systems to safeguard against hacks and maintain consumer confidence," he said.

In 2013 the ICO fined Sony £250,000 for a serious breach of the Data Protection Act after hackers stole customer data stored on its PlayStation Network (PSN) in a cyber attack in 2011. The watchdog said Sony had not taken sufficient steps to prevent the loss of "vast" amounts of personal data belonging to millions of UK consumers.

Under the Data Protection Act organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The ICO has the power to issue fines of up to £500,000 against organisations that are responsible for a serious breach of the Act.

After the Sony incident, the ICO issued new guidelines on IT security. Forthcoming reforms to EU data protection laws are likely to impose stronger data security obligations on companies in future, researchers from Queen Mary University (QMU) of London's School of Law have predicted.