Leading information law solicitors Leigh Day welcome the £400,000 record fine issued by the Information Commissioner to TalkTalk for security failings that allowed a cyber-attack of customer information in October 2015.
The cyber attackers accessed personal information of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also accessed their bank account details and sort codes.
The Information Commissioner found that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s system with ease.”
The Information Commissioner also found that “The contravention was of a kind likely to cause substantial damage and distress” and further stated that if the information has been misused by the attacker or passed to untrustworthy third parties then the contravention would cause further distress to the affected customers and damage such as exposing them to blagging and possible fraud.
Overall, the Information Commissioner found that TalkTalk had failed to comply with the Data Protection Act, specifically the requirement to comply with the seventh data protection principle that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The October 2015 cyber-attack is simply the latest data breach of customer information suffered by TalkTalk.
TalkTalk have confirmed suffering a series of previous data breaches including in September 2014 and August 2015.
At present Leigh Day is currently investigating claims for compensation by TalkTalk customers who were defrauded following these breaches. Specifically, these affected customers were contacted by fraudsters pretending to be TalkTalk staff, who were able to gain their confidence by quoting their personal details, including their names, addresses and TalkTalk account numbers.
Having gained their trust, the fraudsters then took over the customers’ computers in order to “fix” supposed problems and then arranged for money to be taken from the customers’ bank accounts. It is reported that dozens have been affected by the fraud, each losing thousands of pounds.
Sean Humber, a solicitor at Leigh Day specialising in information law commented:
“It will be important to critically review the circumstances of the data breaches, as well as the adequacy or otherwise of the security measures in place. It will also be important to establish quite when TalkTalk first became aware of these breaches and how and when they passed this information on to affected customers, many of whom seemed unaware of the problem at the time that they were defrauded.
“Those affected may have claims for breach of their confidence by arguing that the losses suffered were caused by the initial unauthorised disclosure of their confidential information by TalkTalk and / or its contractors. They may also have claims for compensation under the Data Protection Act in relation to the failure to hold their information safely.”