TalkTalk Gets Record Fine For Data Breach
Telecoms company TalkTalk has been hit with a record £400,000 fine by the Information Commissioners Office (ICO) for their 2015 security breach in which 157000 customer accounts were compromised. The data stolen included Personally Identifiable Information (PII) which included their names, addresses, dates of birth, phone numbers and email addresses and for 10% of these accounts, the attacker also had access to bank account details and sort codes.
Information Commissioner Elizabeth Denham said:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
“In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting. “Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
20% Discount on fine
TalkTalk will get a 20 per cent discount on the £400,000 fine levied if it pays-up by 1 November. As per the usual ICO fining mechanism, if TalkTalk does not appeal the fine and pays before the end of the month the amount will be reduced by one-fifth to £320,000. A statement from the company said that it was “disappointed” with the ICO’s decision but stopped short of suggesting that it would appeal. “We continue to be respectful of the important role the ICO plays in upholding the privacy of consumers,” it added.
Sending out the right message?
Whilst this may be a record fine from the ICO, is this really a sufficient statement to other organisations who may be putting their customers sensitive information at risk with poor and insufficient cybersecurity practices? After all TalkTalk didn’t just suffer one attack in 2015. It is just that this breach was the most significant given the relatively large number of customers impacted. Earlier this year, TalkTalk admitted to losing £60m and 101,000 customers due to the breach. Perhaps the ICO thought they had been punished enough?
Mark Oakton, Security Director at Infosec Partners Group commented:
“I’m not sure this sends out the right message. The Talk Talk board are likely feeling quite content now – if they had invested in security for their scale of operation it would likely have cost them around this figure in protection over recent years, so some may suggest that they have played the ‘risk management’ game well. Comparing the breach to the recently disclosed attack on Yahoo which saw half a billion accounts breached, on the same scale they would be fined £1.2b (if they were all UK credentials)”.
We can help
Overall TalkTalk has lost over £60m in revenue, 101,000 customers have left despite the offer of a number of freebies following the breach, and has sustained significant damage and loss of trust to its brand and reputation – all of which could have been easily prevented for fraction of the record fine by the ICO.
Concerned that your organisation isn’t prepared for a breach or worried that you might have been breached? We can help. From stress testing your security strategy and working with board level and executive leaders to strengthen the Cyber Culture of your organisation, to hands on the ground support in preparing your security ecosystem and responding to incidents. Infosec Partners are proven experts in full-spectrum cybersecurity and a team you can trust.
For your free consultation, complete the adjacent form or to speak with trusted advisor immediately call us on +44 (0)1256 893662.