The fine was the consequence of a cyber security breach in October 2015, which led to the theft of personal data of almost 157,000 customers, including the bank account number and sort code details of nearly 16,000 customers.
In October 2015, cyber attackers accessed a database of Tiscali UK, a company acquired by TalkTalk in 2009, by compromising the company’s unpatched version of MySQL through the well-known “SQL injection” method of hacking.
The Information Commissioner found TalkTalk to have breached both the fifth and seventh principles of the Data Protection Act 1998 (the “DPA“), which require data controllers to delete personal data that is no longer needed for a particular purpose, and to take appropriate security measures to prevent personal data being accidentally or deliberately compromised.
The Information Commissioner exercised her power under the DPA to issue a fine, given that the volume and nature of the compromised data amounted to a serious contravention, of a kind likely to cause substantial damage or distress. The Commissioner lent particular weight to the fact that the contravention was foreseeable, in that TalkTalk had twice been compromised in 2015 through the same cyber vulnerability, and it was a well-documented method of attack for which defences are known. As such, the Information Commissioner’s view was that TalkTalk knew or ought reasonably to have known of the likely risk of a breach causing substantial damage or distress, but failed to take preventive steps nonetheless.
TalkTalk had until 2 November 2016 to pay the £400,000 fine or appeal. TalkTalk paid the fine by 1 November 2016 and benefited from an £80,000 reduction but has now lost the right to appeal.
The Information Commissioner also took the opportunity to warn organisations once again that “cyber security is not an IT issue, it is a boardroom issue“. The attack has reportedly cost TalkTalk over 100,000 customers and over £42 million so far.
To view the Monetary Penalty Notice, please click here.