Can you put a figure on stolen data? You can in terms of fines and compensation payouts.
Major U.K. telecom company TalkTalk has been fined £400,000 for the cyber-attack which happened in October last year. Up to 4 million customer details were thought to have been accessed, but it was later confirmed that around 157,000 accounts were directly accessed in the breach.
The primary reason why TalkTalk were fined this amount was down to their security protection. The Information Commissioner’s Office (ICO) found that the security was at such a low level that the cyber-attack was done “with ease”. The amount that TalkTalk has been fined for the lax in their security does not come as a surprise when taking in to account the fact that organisations and companies have a huge responsibility to protect their customers’ data under the Data Protection Act 1998, which TalkTalk were found to be in breach of.
There are eight data protection principles put into place that organisations must adhere to. The seventh principle stands out the most in this case; the Data Protection Act states that organisations should put into place technical measures to protect data from:
“…unauthorised or unlawful processing…and accidental loss or destruction of, or damage to, personal data”
So, in principle, if organisations do not have enough security to protect the loss/damage to personal data, they could be held liable, as TalkTalk has demonstrated.
TalkTalk and their customers experienced what is described as a “significant and sustained cyber-attack”. Not only were customer names, addresses and telephone numbers breached, but bank details were thought to have been part of the theft. This is a huge concern for many customers as the hack could have disastrous consequences and could put them in a much more vulnerable position for a further risk of a cyber-attack. This is because once the cyber-criminals have access to sensitive data like bank details, they could use this information to access other online accounts held by the customers, or even worse, sell them on.
The turmoil that TalkTalk has put their customers through is simply unacceptable. There is an argument that a £400,000 fine is not enough, and steps should be taken to compensate TalkTalk customers, which is what we are acting for people for.
TalkTalk tried to play down the situation by issuing a statement saying that a “materially lower amount of customers’ bank information was part of the cyber-theft, and that the data alone was not enough for the cyber-criminals to take money from the customers’ accounts. This does not seem to be the case as one customer, Hilary Foster, said she had lost £600 from her account and is wary of future hacks due to the theft of her personal details. The company has since lost credibility with several customers wanting to exit their contracts early.
We’re also helping and advising people who have been successfully targeted by fraudsters as well.
It is thought to be one of the largest fines imposed by the ICO, who have the power to impose up to £500,000 in fines. There is no excuse for TalkTalk’s lack of security. When they took over a rival firm in 2009, the database was said to be outdated. When the breach was unveiled to the public, the company’s Chief Executive, Dido Harding, stated that the company was not under a “legal obligation” to encrypt sensitive data like bank details. With a lack of security, the hackers were able to attack using a well-known hacking technique called SQL injection to gain access to the data.
This shows that the company did not place sufficient effort into protecting their customers’ personal details, as confirmed by the ICO through their fine. This lack of effort, combined with the outdated software to protect the data, is an obvious incident waiting to happen. The telecom company attempted to limit their liability by stating the financial information that may have been accessed were “materially lower” than what they first thought, which reportedly failed.
It seems clear that TalkTalk need to push their budgets out to install a security system that will limit their risk of another security breach. This breach may also be seen as a warning sign to other organisations to ‘fix up’, or consequently, pay the price. The ICO will be on hand to monitor TalkTalk’s progress, along with other organisations that fail to protect their customers’ personal data.