Talk Talk have published figures showing the impact of the cyber-attack that the company experienced in October 2015. Since the 'significant and sustained' attack Talk Talk have experienced the loss of 101,000 customers.
The Consequences of the Attack
The attack in October allowed the hackers to access the personal details of 157,000 individuals, approximately 4% of the company's 4 million customers. Although at present there has been no apparent monetary loss from the attack, the personal information accessed includes 21,000 bank account details, 28,000 partial credit card details and 15,000 customer dates of birth. This data is highly valuable and is the reason why large scale cyber-attacks of the type experienced by Talk Talk are occurring on a more frequent basis and why it is essential that businesses have procedures in place to protect themselves from such attacks.
The company initially predicated a one off financial hit of up to £35m. However, the attack resulted in a £15m impact to trading and £40-£45m in exceptional costs, which includes IT and customer response lines.
Talk Talk's CEO, Dido Harding, has stated that the company has seen "customers returning to normal trading levels in January". However, despite Harding's statement, financial loss will not be the only cost to a company that has been hacked 3 times in the past 12 months with share price drops, reputational damage and a lack of customer trust and loyalty greatly affecting their business.
Did Talk Talk Breach the Data Protection Act?
It has been strongly suggested that such a volume of exceptionally sensitive data should have been better protected and that Talk Talk breached the Data Protection Act 1998. The seventh principle of the Data Protection Act requires that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." If personal data is correctly encrypted then any stolen information is useless to hackers or extremely expensive to sell. Talk Talk have contested that they did not breach the Data Protection Act as they were subject to a criminal attack and took their website offline as soon as they were aware of the magnitude of the problem.
The cyber-attack was labelled a 'car crash' by Information Commissioner, Christopher Graham, who stressed it should send a powerful warning to the industry. The Information Commissioner Office (ICO) is investigating Talk Talk as part of The Cyber Security: Protection of Personal Data Online Inquiry. This could lead to a fine of up to £500,000.
It is essential that companies have appropriate procedures in place to protect against cyber-attacks and to defend themselves against these when such attacks occur as the legal implications are as serious as the commercial consequences, as Talk Talk may be about to find out.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
