Last week TalkTalk was fined £400,000 by the Information
Commissioner's Office (ICO) for breaching the Data Protection
Act. This is the largest fine, to date, that the ICO has imposed
– which emphasises the seriousness of the breach.
Back in October 2015, three webpages which TalkTalk controlled
(due to acquiring Tiscali in 2009) were subject to a cyber attack.
This cyber attack meant that the personal data of 156,959 customers
was accessed; in 15,656 instances the attacker gained access to
bank account details. Other types of data accessed included: names;
addresses; dates of birth; phone numbers; e-mail addresses; and
TalkTalk became aware of the cyber attack and shut down its
webpages. After which, they reported the breach to the ICO.
Reporting the breach to the ICO is an obligation on service
providers, such as TalkTalk, as set out in Regulation 5A(2) of the
Privacy and Electronic Communications Regulations (PECR).
At this stage, due to the seriousness of the breach, the public
were informed. This information was publicised due to Regulation
5A(3) of the PECR – as it states that subscribers should be
informed of a breach that could "adversely affect their
Consequently, the House of Commons raised the data breach as an
"Urgent Question". The House launched its own
investigation into the cyber attack, considering how the
consequences of this breach would affect service providers in
general. It heard from several individuals during the period of
investigation, including the Chief Executive of TalkTalk, the
Information Commissioner, and the ICO Group Manager for
Although the House of Commons issued a report on their inquiry
in June 2016, the ICO continued with their own investigation.
The ICO found that TalkTalk had failed to remove the webpages
that enabled the hackers to access the customers' personal
data. The ICO also recognised that the database software used by
TalkTalk was out of date. The bug that allowed the hackers to
access the data had a "fix" that was made available three
and a half years before the breach occurred. Furthermore, TalkTalk
failed to ensure their computer systems security were protected
from vulnerabilities. More damning information uncovered by the ICO
investigation was that TalkTalk had been subject to two similar
types of attack (SQL injection attacks) previous to the October
2015 cyber attack – on which the company had failed to take
The ICO investigation found that TalkTalk had breached the
seventh principle of the Data Protection Act, – failing to
implement "appropriate technical and organisational
measures...against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage to,
On top of the £400,000 fine due to the ICO, it has been
revealed that the cyber attack reportedly cost TalkTalk £42
million – with the company losing hundreds of thousands of
subscribers. Police are currently investigating the cyber attack,
but they have already arrested six people in connection with
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
While companies prepare for the EU General Data Protection Regulation (GDPR) to take effect in May 2018, another highly significant item on the agenda is arguably the current review process of the proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation).
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).