Yesterday, the Information Commissioner’s Office (“ICO”) issued a record monetary penalty of £400,000 against the telecommunications group TalkTalk, for serious contraventions of its security obligations as a data controller under the Data Protection Act 1998 (“DPA”) arising out of a well-publicised data breach which occurred in 2015.

The decision marks a step-up in ICO enforcement action, particularly as the number of records compromised was not that high compared to some other breaches.

Key points to take away from the Monetary Penalty Notice:

  1. Understand your IT infrastructure and data and the risks that relate to that data. TalkTalk didn’t identify, for 6 years, that the database which was compromised could be accessed via internet-accessible webpages.
  2. Ensure your security and patching is up-to-date, and be aware of attacks that are happening to other businesses. In this case, not only had a patch been available for over 3 years, but the type of attack used was very well known and should have been defended against.
  3. Identify, respond appropriately to, and learn from actual and attempted cyber breaches. Failure to do so is likely to result in an increased fine.
  4. Consider your contractual indemnities and limitations on liability relating to data. TalkTalk’s fine was 80% of the current maximum. From May 2018, maximum fines under the GDPR for this type of breach will be up to the greater of 4% of global turnover or €20,000,000. Significant fines will likely be levied under the GDPR, and businesses need to be cognisant of that increase in financial risk and ensure their cyber security measures, data breach plans, insurance cover and contractual protections are ready for that new level of exposure.

TalkTalk acquired the UK operations of Tiscali in 2009. As part of that acquisition, TalkTalk acquired certain web pages as part of Tiscali’s infrastructure, which provided access to an underlying database containing customer data.

The database ran on an outdated version of the MySQL platform. Between 15 and 21 October 2015, a cyber-attack exploited vulnerabilities in these web pages and extracted the personal data from the underlying database. The attacker hacked the database using a basic SQL injection for which a well-known patch had been publically available for over three years. A “patch”, for those not technically-minded, is a software update which in this case would have closed off the vulnerability.

The data accessed by the attacker included names, addresses, dates of birth, telephone numbers, and email addresses of 156,959 customers and the bank account number and sort codes of 15,656 customers.

Obligations under the DPA

The ICO issued this penalty against TalkTalk for breaching the Seventh Data Protection Principle under the DPA, which provides that:

“Appropriate technical and organisational measures shall be taken against an authorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

The exact measures to be put in place will vary depending on the nature and resources of the business, the data it holds and the risks involved. The measures must have regard to the state of technological development, the cost of implementation, and must ensure a level of security appropriate to the harms that might result from breach of Principle 7 and the nature of the data in question.

Under Section 55A(1) of the DPA, the ICO may issue a monetary penalty where:

  1. there has been a serious contravention of the Data Protection Principles by a data controller;
  2. the contravention was of a kind likely to cause substantial damage or substantial distress; and
  3. The contravention was either;

(a) deliberate; or

(b) the data controller knew or ought to have known that there is a risk that the contravention would occur and that such a contravention would likely cause substantial damage or distress but failed to take reasonable steps to prevent it.

The ICO had little difficulty in finding that these conditions were satisfied.

The minimal level of protection in place and outdated software holding the data meant that the database could be compromised using a basic cyber-attack. A patch specifically designed to fix this vulnerability had been openly available for over three years and was well-known.

Given that the personal data in question included names, address, email addresses and bank account information, the ICO found that the breach was likely to cause the individuals concerned substantial distress and would expose them to increased risk of blagging, phishing and fraud.

The ICO did not consider the fact that TalkTalk was unaware of the webpages protected it against monetary penalty. In fact, the ICO expressly stated that TalkTalk should have identified that these websites formed part of its IT infrastructure, were accessible via the internet, and provided access to the underlying database. The ICO also criticised TalkTalk for not undertaking proactive monitoring to identify vulnerabilities, which may have discovered the webpages.

Why was the penalty so high?

The penalty of £400,000 is the largest issued by the ICO to date. In setting the amount, the ICO was particularly motivated by the fact that:

  1. an SQL injection is a well understood method of cyber-attack for which known defences exist and, in this particular case, had been available on the market for over three years;
  2. TalkTalk was subject to two previous SQL injection attacks that exploited the same vulnerability in July and September 2015 but failed to take any remedial action;
  3. TalkTalk should have known that the Tiscali infrastructure included these web pages and that these ran on an outdated and easily exploited system;
  4. the personal data accessed contained financial information relating to over 15,000 data subjects; and
  5. the contravention could not be characterised as a one-off event or attributable to human error.

It is clear that the ICO have seen this as an opportunity to send a strong message to data controllers of the need to comply with the data protection principles. The total number of data subjects affected is in fact relatively small, but there were significant technical failures by a FTSE250 company with revenues of almost £2billion in 2015, which no doubt contributed to the level of the fine.

The decision of the ICO in issuing such a high penalty marks a clear step up in the intensity of enforcement action.

The ICO has used its fining powers sparingly in the past and in our view deserves its reputation as one of the more pragmatic and business-friendly privacy regulators in Europe. It has, however, shown a willingness to fine where an organisation has committed flagrant and repeated failures to observe UK data protection requirements in the past (for instance in relation to companies sending millions of spam texts without consent), and a significant fine was widely anticipated in the UK. We do not read this fine as a change in the ICO’s pragmatic approach to enforcement or as indicating a greater risk of data protection fines being imposed on businesses who are doing their best to be compliant in the UK, but who fall short.

It should be, though, a loud wake-up call for businesses of all sizes who are yet to get to grips with cyber security and we expect similar failures to attract significant fines.

Looking to the future

Under the GDPR the penalties for this type of breach will be up to the greater of 4% of the group’s total worldwide turnover or €20 million. The maximum penalty available to the ICO in this case would have been 4% of £1.75 billion, which is £70 million. In this instance, the penalty was 80% of the maximum, which would be £56 million. The factors which go into the level of penalty are complex, and the ICO would almost certainly not have raised that level of fine in this case under the GDPR. Having said that, we can expect a “credible deterrent” approach similar to the approach taken by the FCA (the UK’s financial services regulator) for several years, so where appropriate we expect fines of several millions, and possibly into tens of millions of pounds in exceptional circumstances, under the GDPR.