The UK Information Commissioner's Office (the "ICO") has issued a record fine of £400,000 to a UK telecoms company, in connection with a data breach that took place in October 2015. The fine, and the related adverse publicity, serve as a stark warning to companies that fail to implement appropriate data security measures.
On 5 October 2016, the ICO issued a Monetary Penalty Notice, imposing a £400,000 fine on TalkTalk Telecom Group PLC ("TalkTalk") in respect of a data breach that affected over 156,000 customers who had their personal data stolen, including over 15,000 customers whose bank account details were also taken. The ICO's investigation concluded that TalkTalk could have prevented the attack if it had had the correct security measures in place.
The fine is the largest to be imposed by the ICO to date. The ICO currently has the power to issue fines of up to £500,000. However, under the General Data Protection Regulation ("GDPR") enforcement of which begins on 25 May 2018, the ICO will be able to impose fines of up to the greater of €20 million or 4% of worldwide turnover, dramatically escalating the potential financial consequences of failing to comply with data protection law.
The ICO investigation
The cyber attack took place between 15 and 21 October 2015, targeting three particularly vulnerable web pages that were part of an infrastructure that had been inherited by TalkTalk when it acquired the UK operations of Tiscali in 2009. TalkTalk was unaware that these webpages were still available on the internet and that they provided access to an underlying database of customer information.
The company also said it was unaware that, at the time of the attack, the three webpages were affected by a bug that allowed hackers to bypass access restrictions using a technique called SQL injection. The ICO investigation noted that this is a common technique used by hackers, and found that the bug could have easily been removed by applying a fix that had been available since 2012. TalkTalk had been the victim of two other attacks earlier in 2015, one of which had successfully used the same SQL injection technique.
The ICO found that TalkTalk had committed a serious contravention of the seventh data protection principle (which requires businesses to implement appropriate technical and organisational security measures to protect personal data). While the ICO noted that the contravention was not deliberate, it concluded that TalkTalk should have been aware of the risks, and found that there was no good reason why TalkTalk had failed to implement the necessary security measures.
The ICO concluded that a monetary penalty would be "fair and just" in this case, and would serve as a reminder of the need to ensure that appropriate and effective security measures are implemented in order to protect personal data.
Lessons for businesses
The nature of today's interconnected world is that companies with large datasets are increasingly likely to face attacks from malicious third parties who are seeking access to those data. It is incumbent upon businesses to ensure that they take the necessary measures to ensure the security of personal data. Failure to do so is likely to attract ever-increasing attention from the ICO and other Data Protection Authorities. TalkTalk provides a salutary example of the dangers that businesses face – particularly because the fact that the relevant security failures were unintentional did not attract much sympathy from the ICO.
Quite apart from the financial consequences of any fines, TalkTalk has received a significant volume of adverse publicity as a result of the data breach. TalkTalk also released a Trading Update in which it indicated that it had lost 101,000 customers in "response to the cyber attack". In many cases, the cost of addressing the PR and brand perception consequences of a data breach is likely to far outweigh the cost of any fines.
Separately, TalkTalk received a £1,000 fine (upheld on appeal) for failing to report a further security breach within the 24 hours required by the applicable legislation. At present, the 24-hour data breach reporting obligation only applies to telecoms companies. However, from 25 May 2018, the GDPR imposes a mandatory 72-hour data breach reporting obligation on all businesses in all sectors (subject to some minor exceptions for non-serious breaches). For most businesses, this 72-hour deadline will present a significant challenge because the person most likely to discover the breach (usually an IT technician), the person to whom it should be reported (usually a member of the legal team), and the person who will make strategic decisions about reporting the breach (usually a manager or board member) likely do not interact in the ordinary course of business. In order to be able to satisfy the 72-hour data breach reporting obligation, it will be essential to ensure that there is a smooth flow of information between these individuals, and many businesses will need to implement material changes to their internal reporting structure to achieve this.
In light of these risks, businesses should: (i) consider whether they have adequate data security measures in place; (ii) review their data breach reporting structures and ensure that breaches can be swiftly reported; and (iii) ensure that employees are properly trained in how to react in the event of a data breach. Further guidance on all of these issues is available in our GDPR Handbook.
Chris Ewing, a Trainee Solicitor at White & Case, assisted in the development of this publication.