The record fine is an indication that the new Information Commissioner, Elizabeth Denham, is looking to take a robust approach to enforcement ahead of the introduction of the GDPR in May 2018.
In October 2015, a hacker accessed the personal data of 156,959 TalkTalk customers including names, addresses, dates of birth, phone numbers and email address, as well as bank details of over 15,000 customers.The data was obtained through an attack on three vulnerable web pages inherited from TalkTalk's acquisition of Tiscali's UK operations in 2009, which enabled access to a database holding customer information.
The ICO investigation found that TalkTalk failed to implement even the most basic cyber security measures.The ICO found that:
- TalkTalk was not aware that its database software was outdated and that it was affected by a bug, for which a fix was readily available;
- the hacker used a common technique known as SQL injection, which TalkTalk ought to have known about and defended against, having been subject to two similar attacks in 2015.
The fine sends a strong message to businesses of the importance of keeping personal data secure.Denham said the record fine is "a warning to others that cyber security is not an IT issue, it is a boardroom issue".
The ICO's fine pales in comparison to the commercial damage suffered by TalkTalk, including reported costs of £60m and the loss of 101,000 customers. But penalties could soon be much higher. The introduction of the GDPR in May 2018 will enable national regulators to impose fines of up €20m or 4% of total worldwide annual turnover.