Learning from TalkTalk
The Information Commissioner’s Office (ICO) has issued its largest ever fine – £400,000 – to TalkTalk following a hack which resulted in the personal data of 156,969 customers and the bank details of 15,656 customers being accessed. It is the largest fine issued by the ICO since 2014, when it fined an NHS Trust for exposing the sensitive personal data of thousands of patients on decommissioned hard drives which ended up on eBay.
In 2009, Carphone Warehouse acquired the UK subsidiary of Tiscali for £236 million before merging the Tiscali business with TalkTalk and spinning TalkTalk off as a separate listed company. Unfortunately for TalkTalk, it inherited a number of webpages from Tiscali which were vulnerable to attack and over a period of six days in October 2015, those vulnerabilities were exploited by an attacker who gained access to the underlying Tiscali database.
When TalkTalk finally realised what was happening, it responded by taking its websites down and replacing them with a temporary holding page. There was confusion surrounding the attack, with some reports suggesting that the bank details of up to four million customers had been accessed. A few days later, TalkTalk confirmed that the impact of the breach was more limited than originally believed and that the bank details accessed were not sufficient for money to be taken from customers’ accounts.
TalkTalk’s Chief Executive, Dido Harding, became the face of a company on the receiving end of its third cyberattack within a period of 12 months, having to answer some very difficult questions on BBC Breakfast about how such a thing could be allowed to happen. TalkTalk, and Ms Harding in particular, were heavily criticised by the media for their handling of the situation.
How was the attack investigated?
Firstly, the breach drew the attention of the House of Commons Culture, Media and Sport Committee who launched a formal inquiry into the breach and its wider implicattions. The inquiry heard evidence from Dido Harding and the ICO and published its report in June 2016 concluding that:
- Dido Harding demonstrated “prompt response and leadership”, but while”it [was] appropriate for the CEO to lead a crisis response…cybersecurity should sit with someone able to take full day-to-day responsibility, with Board oversight, who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyberattack…a portion of CEO compensation should be linked to effective cybersecurity”
- “The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches…security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary”
- “In major organisations, where the risks of attack are significant, the person responsible for cybersecurity should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has been an actual breach.”
Throughout the Committee’s inquiry, the ICO was undertaking its investigation which included meetings with key personnel and an investigation by the ICO’s technical division.
What did the ICO conclude?
The ICO concluded that:
“[TalkTalk] failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protiection principle…for ensuring that such an incident would not occur, i.e. for ensuring that personal data held on the database could not be accessed by an attack performing an SQL injection attack.”
In reaching its conclusion, the ICO noted that TalkTalk was using outdated database software for which a fix had been available for over three years and that TalkTalk did not undertake proactive monitoring activities.
In determining the amount of the fine, the ICO took into consideration the fact that TalkTalk was on the receiving end of a criminal attack, had been cooperative with the ICO’s investigations and had offered affected customers 12 months’ free credit monitoring. However given TalkTalk’s financial resources, the ICO did not consider that the penalty would cause undue financial hardship and that such a penalty should serve as a deterrent to other organisations to keep personal data secure.
What can be learned from the TalkTalk hack?
Perhaps the greatest reason for the media backlash surrounding the TalkTalk hack was that many would have expected TalkTalk to be alive to the real and pending threat of cyberattacks. Indeed TalkTalk was already on shaky ground with its customers following two earlier cyberattacks and yet a simple vulnerability was exploited and it was evident that there was no clear plan for handling such an attack and communicating with potentially affected customers.
It would be the easiest thing in the world to recline in blissful ignorance, thinking that a cyberattack will not happen to your organisation.But according to a report by the Federation of Small Businesses, two thirds of small businesses have fallen victim to a cyberattack in the past two years. There is therefore no room for complacency.
A good starting point is to take a look at the ICO guidance on how to protect personal data in the provision of online services. The Government-backed Cyber Essentials scheme provides a free assessment tool on “basic cyber hygiene” together with free guidance and a pathway towards accreditation.
How can we help?
Our specialist Data Protection team can provide practical advice on compliance with data protection law throughout the data lifecycle and across your entire business organisation. From data protection policies through to data security breach response plans, reputation management, training and audit, we provide a complete solution which enables you proactively manage compliance and respond promptly and effectively in the event of a cyberattack or other breach.