Last week TalkTalk, the UK telecom firm, finally discovered the official financial penalty as a consequence of the data breach it suffered 12 months ago. The Information Commissioners Office, the UK data protection regulator, levied a fine of £400,000, the highest fine in its history.
In its judgement, the ICO stated that TalkTalk had failed to demonstrate even some of the most basic security protections. The root cause of the breach was a straightforward SQL injection vulnerability, widely known in the industry and known about for over 10 years. Information Commissioner Elizabeth Denham said that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” Ouch.
The £400,000 fine is, of course, a drop in the ocean for Talktalk. The commercial consequences for the company are much greater, in addition to the hundred thousand data records that were “accessed” the company estimate that 100,000 customers have left the business, and the costs of remediating have reached £42 million.
There is good news for Talktalk. Its timing is perfect. In 20 months’ time, in May 2018, the new General Data Protection Regulation (GDPR) becomes effective. The circumstances surrounding the TalkTalk data breach would, under GDPR, attract a fine of up to 4% of global annual revenue, as the ICO found that TalkTalk had caused a breach of data protection principles, namely that it had failed to prevent unauthorized access to personal records, and that it had kept personal data longer than necessary.
According to TalkTalk’s financial results in 2016, its global turnover was £1.838 billion, 4% of which is £73.5 million. Through good fortune and timing, TalkTalk has saved itself £73.1 million.
Other companies may not be so lucky.
If you’re interested in learning more about cyber security issues, please contact Duncan Brown.