Summary: The ICO has handed TalkTalk a record fine of £400,000 for breaches of the Data Protection Act 1998, related to the well-publicised cyber-attack it suffered last year. We summarise the key findings from the ICO and the resulting trend for group litigation by individuals.
The ICO has handed TalkTalk a record fine of £400,000 for breaches of the Data Protection Act 1998 (“DPA”) related to the well-publicised cyber-attack it suffered last year. This case illustrates the level of care that must be taken in relation to applying data security standards, and how undertaking data protection due diligence on acquisitions is crucial.
TalkTalk acquired Tiscali’s UK business in 2009. Unknown to TalkTalk, Tiscali had been operating web pages using a database running an outdated version of software (MySQL). Between 15 and 21 October 2015, cyber-attackers were able to exploit vulnerabilities in the web pages and use an SQL injection attack to gain access to personal data of 156,959 customers, including bank account information of 15,656 customers.
The ICO decided that TalkTalk had failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data. In particular: (1) TalkTalk failed to assess the technology infrastructure they acquired from Tiscali and consequently were unaware of the issues; (2) in turn, this meant that TalkTalk failed to remove the web pages or otherwise secure them; (3) there was a well-known fix for the vulnerabilities in the outdated software made available over three years before the attacks; and (4) TalkTalk had been subject to two previous SQL injection attacks (a well understood method of cyber-attack) earlier in 2015 and had failed to take reasonable remedial steps following the attacks. The ICO concluded that the breach was likely to cause substantial damage or substantial distress to the affected individuals.
The ICO currently has the power to issue fines of up to £500,000 for DPA breaches, and has sent out a strong message with this record fine. The ICO’s powers are set to increase significantly in May 2018 when the General Data Protection Regulation takes effect, with maximum fines set at the greater of €20 million or 4% of group annual turnover.
In addition, group litigation by individuals seems likely and there are already reports that affected TalkTalk customers are preparing legal proceedings. This is becoming an increasingly common trend following a Court of Appeal ruling last year that individuals can bring claims for distress only, without them having to prove they have suffered financial loss from a breach.