Cyber data breach: record £400,000 fine
TalkTalk has been issued with a record monetary penalty by the Information Commissioner’s Office (ICO) for serious security failings that allowed a cyber attacker to expose the personal data of over 150,000 customers “with ease”.
The penalty was issued on 5 October 2016 under s.55A Data Protection Act 1998 (DPA). It is the largest to date, and just short of the maximum fine of £500,000 which the ICO is allowed to levy.
The fine marks a significant step up in the severity of enforcement action for cybersecurity breaches. It also comes hot on the heels of TalkTalk’s unsuccessful appeal against a (much smaller) £1,000 fine for failing to notify the ICO of a personal data breach within specified timescales.
In 2009 TalkTalk acquired the UK operations of Tiscali. As part of that acquisition TalkTalk acquired certain webpages as part of Tiscali’s infrastructure, which provided access to an underlying database containing customer data. That database was vulnerable to an SQL injection attack, despite the fact that a patch for the vulnerability had been publicly available for over three years. In October 2015 a cyber attack exploited this vulnerability and accessed the personal data of 156,959 customers, including the bank account numbers and sort codes of 15,656 customers.
The ICO was satisfied that TalkTalk had contravened the following obligation under the DPA:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In particular, TalkTalk:
- Failed to remove or secure the webpages which provided access to the underlying database.
- Was operating vulnerable outdated database software affected by a bug, for which a fix was available but had not been applied.
- Failed to undertake proactive monitoring activities to discover vulnerabilities.
Despite having the necessary financial resources, staffing and expertise, the ICO found that TalkTalk overlooked the need to have appropriate cybersecurity measures in place and was ultimately found wanting. In setting the level of the fine, the ICO identified a number of aggravating factors which made the data breach particularly serious:
- The number of individuals (data subjects) affected.
- The sensitive nature of the personal data held on the database (including personal bank account numbers and sort codes).
- TalkTalk ought reasonably to have known that a cyber attack of this nature would occur unless it ensured that the data was protected.
- Prior to the October 2015 attack there had been two previous attacks in July and September 2015.
- TalkTalk ought reasonably to have known that the loss of customers’ personal data was likely to be distressing to those customers and had the potential to cause damage, for instance as a result of fraud.
At a time where cyber attacks are becoming increasingly prevalent, this decision should act as a loud wake-up call to businesses who are yet to get to grips with cybersecurity. The Information Commissioner stated that:
Today’s record fine acts as a warning to others that cybersecurity is not an IT issue, it is a boardroom issue.
Businesses should ensure that they have appropriate cybersecurity procedures and defences in place to protect any personal data. They should carry out regular reviews of these measures and have a crisis response strategy in place in the event of a cyber attack.
The record fine has been imposed at an important time as businesses move towards compliance with the General Data Protection Regulation (GDPR) that comes into force in all EU Member States in May 2018. Under the GDPR the penalties for companies that breach data protection laws will be up to the higher of 4% of a company’s total worldwide turnover or €20 million. It will also introduce a mandatory data breach reporting regime for all companies within 72 hours of becoming aware of the breach.
Notwithstanding the referendum result of Brexit, the ICO has said that:
if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.
It therefore appears that the ICO considers it necessary to push forward with reforms of UK data protection legislation, which will mirror the provisions of the GDPR. Alternatively, the GDPR might simply be extended into UK law through the Great Repeal Bill, which has as one of its aims to convert the existing body of EU law into UK law.
- Data breach damages: how much?
- Time is of the essence: reporting data security breaches
- Privacy notices: just to let you know