The ICO has issued its largest ever fine of £400,000 to TalkTalk in relation to the well-publicised cyber attack last October. The fine serves as a reminder to businesses of the importance of ensuring adequate technical security measures are in place to protect personal data.
The cyber attack occurred between 15 and 21 October 2015. Six years earlier, TalkTalk acquired Tiscali. Tiscali’s infrastructure included certain webpages that were still available in 2015 and that allowed access to an underlying database of customer details. The October 2015 attack involved a hacker carrying out an SQL injection attack, where SQL commands are 'injected' into a webpage in order to gain access to resources or data. This particular attack enabled the hacker to exfiltrate data from the database. The hacker accessed personal data relating to a total of 156,959 customers on the database, including the bank account number and sort code of 15,656 of those customers.
TalkTalk notified the attack to the ICO on 22 October 2015 and the breach hit headlines the following day. There followed an extensive investigation by the ICO into the breach and plenty of adverse publicity as major news outlets worldwide covered the attack.
The ICO found that TalkTalk had breached principle 7 of the Data Protection Act 1998. This principle requires that data controllers must take appropriate technical and organisational security measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In other words, businesses handling personal data must take reasonable steps to keep it secure. The ICO considered that TalkTalk had failed to do so. In particular:
The fine of £400,000 represents the ICO’s largest fine levied so far. The potential maximum fine the ICO is entitled to issue is currently £500,000, although this is due to increase under the General Data Protection Regulation. The fine reflects the severity of the incident and serves as a timely reminder of the importance of keeping personal data secure.
Businesses should make sure that all software used is up-to-date and bug fixes are implemented as soon as possible. In acquisitions, thorough due diligence should be carried out to identify legacy webpages and systems and establish what updates are required to ensure these are appropriately secured.
Contributor: Emma Fox
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.