TalkTalk fined £400,000 for last year’s data breach

ComplianceSecurity
1 15 No Comments

Get your security properly in place before the arrival of GDPR and even bigger fines firms are told

TalkTalk has been fined a record £400,000 by the Information Commissioner’s Office (ICO) for its poor data security, which led to the theft of personal data belonging to 157,000 customers in October 2015.

The ICO said that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate systems with ease.”

ICO OfficeNigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: “I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer.”

The ICO can currently fine firms for serious data breaches up to £500,000, but the incoming GDPR legislation will make that maximum amount much higher.

Hawthorn said: “The real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80 million in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.”

Mark O’Halloran, tech expert and partner at law firm Coffin Mew, said of the fine: “The maximum penalty the ICO can impose is £500,000, so this fine is huge. But it will be dwarfed by the fines the ICO can impose from May 2018 under the GDPR, which are up to 4 percent of global turnover for the worst data breaches.”

O’Halloran said: “What companies need to do is contact cyber security specialists to have their IT systems and procedures tested for vulnerabilities. Auditing the security of IT systems will also be a legal requirement from 2018, as well as appointing a data protection officer who will be obliged to report any data breaches to the ICO.

“What counts as sufficient protection depends to a great extent on what security solutions are available on the market. If most companies are protecting their data with the latest state-of-the-art software and best practice procedures, any company behind the curve is at risk of serious fines and, of course, loss of reputation and business.”

@AntonySavvas