The Information Commissioner's Office ('ICO') fined TalkTalk £400,000 for breaching the seventh data protection principle ('7th DPP'), which provides for appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data.
You may recall the TalkTalk security breach in October 2015, whereby a cyber attacker accessed the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In over 15,500 cases, the attacker also had access to bank account details and sort codes. The ICO held that cyber attackers 'were able to access customer data with ease' and that the attack 'could have been prevented if TalkTalk had taken basic steps to protect customers' information'.
Key lessons for data controllers
1. Undertake due diligence on all entities you purchase
All organisations should hold a log of their complete ICT estate connected to the network and Internet as part of their wider cyber defence strategy and learn from previous cyber-attacks. The ICO had little sympathy that the database hacked was part of infrastructure TalkTalk inherited from Tiscali in 2009. Nor that TalkTalk alleged, six years later, that they did not know the three vulnerable webpages existed or that they enabled access to an underlying database that held customer information (let alone that those webpages had been attacked twice previously). This, plus Verizon allegedly being unaware of the Yahoo data breach when Verizon purchased Yahoo in July 2016, shows the need for buyers to include contractual provisions regarding material issues that only become known to the buyer post completion.
2. 'Cyber security is not an IT issue, it is a boardroom issue' – Elizabeth Denman
It is too early to say to what extent the record fine reflects the new Information Commissioner's policies and / or may indicate an increase in enforcement action in advance of the General Data Protection Regulation ('GDPR') taking effect on 25 May 2018.
The maximum fine TalkTalk could receive if this cyber-attack had happened under the GDPR is the greater of 4% of annual worldwide turnover or €20 million. Currently it is £500,000. What is clear is that organisations should continue to prepare for the GDPR in spite of Brexit. This includes reviewing security measures and data breach strategies and being aware of the continued increase in the number and sophistication of cyber-attacks.
3. Consider the costs associated with being hacked
Whilst a regulatory fine may be significant, there is likely to be greater reputational damage and financial cost (e.g. staff time, professional fees, other external consultants, lost customers) to organisations that are hacked. TalkTalk announced they lost 101,000 customers and suffered costs of £60 million as a result of the attack.
4. Implement all new releases and patches that correct known bugs or otherwise remove vulnerable webpages and software
The ICO placed weight on the fact a fix had been available for over three years before the cyber-attack. If the latest available version of the database software was installed, the attacker would not have been able to bypass security restrictions. Whilst spending may be increasingly scrutinised post Brexit, the financial, time and reputational cost of a cyber-attack could dwarf the cost of upgrading software. The MPN makes clear that the ICO will have little sympathy if a data controller is penetrated by an SQL injection attack or other types of cyber security attack that have been well understood for several years.
5. Undertake appropriate proactive monitoring activities to discover vulnerabilities.