TalkTalk fine “nothing compared to upcoming GDPR”

Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. Investigators found that the cyber attack of October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.

Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

Some industry commentators say the fine is still relatively small, and is nothing compared to what can be expected under the forthcoming General Data Protection Regulation (GDPR).

"The fine against TalkTalk is the biggest to date as a result of the company not implementing basic levels of protection. It is clear that security has not always been prioritised in the way it is now,” said Mishcon de Reya's Cyber Security Lead Joe Hancock.

"However £400,000 is still a relatively small fine compared to the potential fines that will be levied under the General Data Protection Regulation – the greater of up to 4% of global turnover or €20 million. For TalkTalk this could have been over £70 million.

"We expect to see further examples made of companies who fail to take cyber security as seriously as they would other risks. Implementing basic cyber security protections will go a long way to protecting customers data and company reputations.”

The question now remains whether the responsibility for the fine is with TalkTalk itself, or should be shared between their service providers and suppliers. According to Hancock, these issues are likely to become more pressing as the size of fines increases under GDPR.

Related Articles