In October 2015, TalkTalk suffered a cyber attack leading to a loss of the personal data of 156,959 of its subscribers – 15,656 of which included bank details and sort codes. The UK Information Commissioner’s Office (ICO) issued a record £400,000 fine to TalkTalk for failing to have in place “appropriate technical and organisational measures” to prevent an attack in breach of the seventh principle of the Data Protection Act 1998 (DPA). TalkTalk reported that the attack cost the organisation £42m and the loss of 101,000 subscribers.

This article will look at the TalkTalk data breach, highlighting the most common causes of data security breaches and detailing how companies that process personal data can avoid falling foul of the DPA. The article will also discuss the effect that the EU General Data Protection Regulation (GDPR) would have had in the TalkTalk case, had it been in force.

Lessons to be learnt from the TalkTalk data breach

The information commissioner has the power to fine an organisation which processes personal data up to £500,000 for a serious breach of any of the eight data protection principles set out in the DPA. The DPA states that such a breach must be of a kind likely to cause substantial damage or distress to individuals, and must have been either deliberate, or the organisation knew or ought to have known that there was a risk that a breach would occur, and that such a breach would be likely to cause substantial damage or distress.

The ICO advises that all organisations which process personal data have in place a software security updates policy. The TalkTalk data breach occurred on a customer database that it had inherited in 2009. This database software was outdated and was affected by a bug, for which a fix was available. The hacker used this bug to access TalkTalk subscriber data on certain vulnerable webpages.

Apr-Jun 2017 Issue

Wedlake Bell LLP