Thoroughly knowledgeable,
very pragmatic and

Chambers Guide


Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.

Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.

Tough-talking Information Commissioner imposes unprecedented £400,000 data protection fine on Talk Talk

What does the highest UK data protection fine ever tell us about the new Information Commissioner and the future of data protection enforcement?

In October 2015, Talk Talk Telecom Group PLC (Talk Talk) suffered a cyber attack resulting in criminals gaining access to the personal data of 156,959 customers.  In just under 10% of cases, the compromised data included bank account and sort code details.

The hackers exploited the vulnerabilities of three legacy webpages that Talk Talk had acquired when it took over the operations of Tiscali UK in 2009, which allowed access to a database known as “Tiscali Master”, with outdated software.  Talk Talk was unaware that the webpages were still online and had therefore failed to make them secure.

Information Commissioner’s decision

The maximum fine that can be imposed by the Information Commissioner is currently £500,000.  In deciding to levy an unprecedented £400,000 fine, the new Commissioner Elizabeth Denham noted the following in respect of the seriousness of Talk Talk’s failures:

  • The contravention was likely to cause substantial damage or distress.  The data could be used for fraudulent purposes (including “blagging”) and was of a kind likely to cause distress, which Talk Talk should have known.
  • The failure was not deliberate, but was foreseeable.  Talk Talk ought to have known that the inherited webpages were online and gave access to the database.   The type of attack (SQL injection) was well-understood and known defences exist.
  • Talk Talk had failed to take reasonable steps to prevent the breach, by being aware of the webpages, removing or securing them and applying software updates.

The Commissioner also considered mitigating factors in Talk Talk’s favour, including:

  • There was a criminal attack.
  • Talk Talk reported the incident to the Commissioner and was cooperative during the investigation.
  • Talk Talk notified customers and offered them 12 months of free credit monitoring.
  • Substantial remedial action has been taken.
  • The incident was widely publicised.
  • The further reputational damage that the penalty might cause.

WAB Comment

For Talk Talk, a fine of £400,000 is minor relative to the actual costs of the breach.  According to its own disclosures, the high-profile attack resulted in the loss of 95,000 customers, a £15 million loss of trade and costs of up to £45 million.  There was also considerable criticism in the press of Talk Talk and its senior management at the time.

The level of the fine is, however, noteworthy for two reasons.  First, this is the most high-profile fine which Elizabeth Denham has handed down since she was appointed Information Commissioner in July 2016.  Her comments on the decision indicate both tough talking and tough action to ensure deterrence:

“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.

Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action. […]

Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

Second, the implementation of the General Data Protection Regulation (GDPR) in May 2018 will result in EU data protection regulators, including the UK Information Commissioner, being able to impose fines of up to the greater of €20,000,000 or 4% of the undertaking’s total worldwide annual turnover.

The fine against Talk Talk represents 80% of the maximum fine that may be imposed under current UK data protection laws. Whilst this was clearly a serious breach there was no deliberate contravention by Talk Talk, which indicates that the Commissioner may be more likely to make full use of her increased powers of enforcement once the GDPR comes into force.  Commissioner Denham may find her new powers to be a particularly useful deterrent where the breaching party is a major international corporation or tech giant, for whom a £500,000 fine under the current laws is a relatively inconsequential sum.

See the ICO press release here and full decision here.

See our previous posts on the GDPR and the effect of Brexit upon it here.

Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.

This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more see our cookies policy