TalkTalk, the national phone and broadband operator, has been fined a record sum by the Information Commissioner’s Office (ICO) following last year’s ‘significant and sustained cyber-attack’ on its website. Around 4 million customers were potentially affected following serious, but avoidable, contraventions of the Data Protection Act 1998 (DPA).
Whilst the numbers of customers affected were comparably lower than those affected by security breaches on the part of other companies, the ICO imposed a record fine of £400,000 (80% of the maximum it can currently impose). The fine reflects, in part, the fact that TalkTalk failed to implement the most basic cyber security measures – which allowed hackers to take advantage and penetrate its systems with ease.
What does this mean?
Cyber security must be taken seriously, and businesses must keep up to date with technology available when it comes to maintaining robust security measures. The ICO commissioner says hacking is wrong, “but that is not an excuse for companies to abdicate their security obligations”. The ICO explained that TalkTalk could have and should have done more to safeguard its customers’ information.
Clear lessons can be learnt from what the ICO has revealed following its investigation: TalkTalk had been unaware (because of an earlier failing) that an installed version of database software containing three vulnerable webpages, was outdated and no longer supported by the provider. The attacker used SQL injection to access the data. SQL injection is a common, and well understood technique; defenses exist – and TalkTalk ought to have known it posed a risk to its data. This is reflected in the high level of fine imposed.
Business organisations must have the processes and procedures in place to identify potential security risks; ensure that their security measures are up-to-date – and respond immediately when any security risks or breaches are identified.
Businesses are reminded of the 7th Data Protection Principle under the DPA:
“Appropriate technical and organisational measures shall be taken against an authorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Failure to do so will result in potentially significant fines and serious reputational damage to the business concerned.
How can we help?
Data protection is a serious issue for all businesses. The experienced commercial solicitors at Herrington Carmichael LLP can advise your business on your data protection measures and whether or not they are sufficiently robust. We can also advise you on what you can do to ensure your organisation is compliant with the DPA. If you have any concerns about your data protection and cyber security, contact us now for strategic legal advice.
Please contact Mark Chapman on 01276 686222 or Matthew Lea on 01189 898 155.