We looked in September at the UK Information Commissioner’s Office (ICO) first action against TalkTalk over a data breach in November 2015. You can see that alert here. Today the ICO took action against TalkTalk over another breach in October 2015. They have been given a record £400,000 fine for security failings that allowed a cyber attacker to access customer data “with ease”.
TalkTalk are a telecoms provider who provide a range of telecoms services across the UK. They are a UK listed entity with a turnover of about £1,795m in 2015.
In October 2015 TalkTalk announced a data breach which they said was the result of a “significant and sustained cyber-attack” and they said that the personal and banking details of up to four million of their customers had potentially been exposed. A few weeks later however TalkTalk issued a new statement saying that a “materially lower” amount of customers had been affected and in early November they said that the number was “much more limited than initially suspected”. They thought that the banking details of 15,656 customers were at risk.
The ICO responded quickly to news of the breach and launched their own investigation. TalkTalk notified the ICO of the breach within 24 hours of discovering it. They found that the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information.
ICO investigators found that the attack between 15 and 21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
What did the ICO do?
The ICO have today issued a monetary penalty to TalkTalk. In doing this the Information Commissioner Elizabeth Denham said:
TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The ICO investigation in this case was limited to TalkTalk’s compliance with the Data Protection Act 1998. It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for. A criminal investigation by the Metropolitan Police has been running separately to the ICO’s investigation.
How does this relate to GDPR?
GDPR will impose general data breach reporting obligations both to regulators and to those affected. You can find out more about this in our FAQs here – www.corderycompliance.com/eu-data-protection-regulation-faqs-3/. Under GDPR breaches will have to be reported usually within 72 hours. It is important to remember that separate obligations will still exist for telecoms companies both under PECR and also from 2018 under the NIS Directive. You can find out more about the NIS Directive here – www.corderycompliance.com/eu-cyber-security-rules-adopted/. This case sends a clear message that companies will have to invest in proper processes to enable them to report breaches properly.
The penalty post-GDPR for breaches like this is likely to be more significant. A fine of £400,000 compares with a possible penalty of around £72million for an organization of TalkTalk’s size for serious offences post-GDPR. Again you can find more details of the GDPR fining regime in our FAQs here – www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and in our detailed guidance in the Cordery GDPR Navigator here – www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
Mrs. Denham also made it clear in her alert that she expects boards to talk this seriously. She said:
Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
There has already been significant criticism of the way in which TalkTalk’s management handled both the breach and communications after the breach. Clearly then as part of the GDPR process businesses will have to consider:
- Making more effort to stop breaches happening;
- Having a robust data breach plan in place;
- Training individuals to make sure they know how to respond;
- Investing in proper processes to identify breaches quickly and assist in investigating the breach and outlining the details to a regulator’s satisfaction.
- Making sure that data security is an item in due diligence. In this case the systems had been acquired by TalkTalk. Recent events like the Yahoo breach have shown us that care needs to be taken to check data security when acquiring a business or assets.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1784
Office: +44 (0)207 075 1785
The picture of Elizabeth Denham is © Crown copyright and is used by kind permission of DCMS.