ICO Upholds £1,000 Fine Against TalkTalk for Personal Data Breach

The Information Commissioner’s Office (ICO) has upheld a £1,000 fine against UK phone and broadband provider TalkTalk after the ISP failed to inform the watchdog that a personal data breach had occurred on its system (the provider should have done this within 24 hours of becoming aware).

The breach, which is not related to last year’s cyber-attack on the ISP, occurred on 16th November 2015 when one of TalkTalk’s customers “accidentally obtained unauthorised access to the personal data of another customer” and was able to see the other users name, address, telephone numbers, email addresses and date of birth.

Apparently the situation occurred due to a problem with one of TalkTalk’s mechanisms for keeping its customers’ personal data secure – specifically, the password mechanism by which customers access their TalkTalk accounts online. The customer promptly notified both the ISP and ICO on the same day and two days after that they also followed it up again with a detailed letter.

The ICO then raised the issue with TalkTalk on 20th November and the ISP confirmed reception of that letter. However it then took until 27th November before TalkTalk’s Information Security Officer, Mike Rabbitt, was able to confirm that an investigation had been started, although they didn’t officially confirm that a data breach had occurred until 1st December.

TalkTalk claims that the delay in reporting the breach was because “the incident had not been reported to either [TalkTalk’s] Information Security or Fraud team.” In February 2016 the ICO informed TalkTalk that they intended to impose a fine for the reporting failure, which TalkTalk opposed and ultimately the case went to appeal.

Suffice to say that the Tribunal was unanimous in dismissing TalkTalk’s appeal.

HM Courts & Tribunals Service Ruling

The Tribunal consequently concluded that TalkTalk had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter of 18th November. The Tribunal strongly suspected that TalkTalk in fact had sufficient awareness of the breach when the customer telephoned on 16th November but were hampered in reaching any conclusion on this point by the failure of TalkTalk to provide any details of that initial complaint.

As part of their counter-argument TalkTalk revealed that the complaints they received about potential personal data breaches amounted to around 50 per month. However the Tribunal was apparently unimpressed by “the contention that holding that ‘sufficient awareness’ in this case arose from the customer’s letter would place an unreasonable burden on service providers“.