» ISP News » 

ICO Upholds £1,000 Fine Against TalkTalk for Personal Data Breach

Posted Friday, September 2nd, 2016 (3:04 pm) by Mark Jackson (Score 873)
talktalk uk isp

The Information Commissioner’s Office (ICO) has upheld a £1,000 fine against UK phone and broadband provider TalkTalk after the ISP failed to inform the watchdog that a personal data breach had occurred on its system (the provider should have done this within 24 hours of becoming aware).

The breach, which is not related to last year’s cyber-attack on the ISP, occurred on 16th November 2015 when one of TalkTalk’s customers “accidentally obtained unauthorised access to the personal data of another customer” and was able to see the other users name, address, telephone numbers, email addresses and date of birth.

Apparently the situation occurred due to a problem with one of TalkTalk’s mechanisms for keeping its customers’ personal data secure – specifically, the password mechanism by which customers access their TalkTalk accounts online. The customer promptly notified both the ISP and ICO on the same day and two days after that they also followed it up again with a detailed letter.

The ICO then raised the issue with TalkTalk on 20th November and the ISP confirmed reception of that letter. However it then took until 27th November before TalkTalk’s Information Security Officer, Mike Rabbitt, was able to confirm that an investigation had been started, although they didn’t officially confirm that a data breach had occurred until 1st December.

TalkTalk claims that the delay in reporting the breach was because “the incident had not been reported to either [TalkTalk’s] Information Security or Fraud team.” In February 2016 the ICO informed TalkTalk that they intended to impose a fine for the reporting failure, which TalkTalk opposed and ultimately the case went to appeal.

Suffice to say that the Tribunal was unanimous in dismissing TalkTalk’s appeal.

HM Courts & Tribunals Service Ruling

The Tribunal consequently concluded that TalkTalk had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter of 18th November. The Tribunal strongly suspected that TalkTalk in fact had sufficient awareness of the breach when the customer telephoned on 16th November but were hampered in reaching any conclusion on this point by the failure of TalkTalk to provide any details of that initial complaint.

As part of their counter-argument TalkTalk revealed that the complaints they received about potential personal data breaches amounted to around 50 per month. However the Tribunal was apparently unimpressed by “the contention that holding that ‘sufficient awareness’ in this case arose from the customer’s letter would place an unreasonable burden on service providers“.

Delicious
Add to Diigo
Leave a Comment
16 Responses
  1. A

    £1000 fine? Well this is going to really show major companies who handle and store our data insecurely to encrypt and secure our data. This wasn’t their first time either. Ridiculous.

    • mrpops2ko

      yeah jesus – i thought £1000 per breached user, which would be reasonable of a fine – thats the whole point, the fines should be punitive in nature in order to dissuade these shoddy companies from not paying proper wages to an IT department that properly follows security protocols.

  2. Optimist

    Mr Rabbitt of Talk Talk – I love it!

  3. Evan Crissall

    More of the same from the ICO — an extension of the same-old propaganda offensive targetting TT.

    In this case, using just the one complainant (singular) reporting a solitary data violation. Who was that complainant, btw? A real person? Or not. Either way, no proof of systemic failure in data security; just a one-off hiccup, at worst.

    But the token £1k fine – for that single insignificant failing. Providing pretext for ICO to strut around like prize peacocks, issuing mindless Press Releases about the perils of doing business with TalkTalk.

    Yet the actual value of the disclosed data is close to zero. Most all of that data (and much more) can be gotten from public sources.

    Name, address, DOB – is on publicly available electorals, for chrissake. [ DoBs requiring access to historical electorals showing date when voter turned 18]

    Interestingly, ICO shows no interest – ignoring repeated complaints to date – over a genuinely serious data privacy violation. That concerns a UK parcel courier:

    Here’s the tracking website for the parcel company. Try replacing the last xxxx with digits. That gives you the full name and address of EVERY parcel recipient, the sender, parcel contents, weight and value, and even instructions for where parcel should be hidden if no one at home!

    http://www.oneworldexpress.co.uk/remote/main/tracking.php?tracking_number=JD000225503098xxxx

    And yet the ICO doesn’t give a toss over complaints about that?? Costly bunch of clowns! Playing their own propaganda games with TalkTalk (on behalf of whom??)

    • FibreFred

      More conspiracy theory’s deduction ?

    • captain.cretin

      Please read the story, if not here, then somewhere else and in depth.

      The fine isnt for the data breach, the fine is for taking so long to do anything about it.

      Apart from being useless at keeping data safe, TT are worried, this type of thing becomes a much more serious event under new regulations that come into force soon, so TT tried to have the breach and the fine over-turned to stop it being used as a benchmark for their next failure.

      BTW, as I understand it, £1,000 is the maximum they can be fined under the current regs for this particular offence.

    • New_Londoner

      Let’s not forget that TalkTalk suffered 4 breaches in a year. A bit odd to blame the ICO for Dido’s incompetent cyber security policies!

    • Optimist

      Evan, I wonder how many of One World Express’s customers know that their personal data is compromised?

  4. Evan Crissall

    All the sillier that £1k fine was not for alleged data breach but simply for not reporting to ICO within 24 hours. As if that would have made iota of difference.

    We still don’t know what the alleged failure was actually about. Was it a one-off human error? If so, would that really matter? Humans err; get over it. Our postie regularly delivers wrong mail intended for neighbours. Should postie get £1k fine every time he fluffs?

    According to above author, failure here was in “one of TalkTalk’s mechanisms for keeping customers’ personal data secure – specifically, the password mechanism by which customers access their TalkTalk accounts online.”

    Doesn’t sound like a systemic weakness in security mechanism; else why just the single complaint? No one else reported a problem?

    Storm in a teacup, imo. Cooked up by clowns at ICO to keep the flame-gun on TalkTalk; to damage the business, and boost rivals.

    It’s not as if rival BT is without security failings of its own. Remember the huge leak of “up to a million” subscriber records from its BT Sport programme?? Where are the £1k fines for each of those failings?? ICO behaving, wrt TalkTalk as a malicious government propaganda unit.

    As for what this TT record was actually worth – precisely nil, I would say. By way of comparison, take a peek at Companies House records; where the data controller is gummint itself.

    And where we find full names and addresses, email contacts, telephone numbers, dates of birth AND even scanned signatures! If that’s not a recipe for ID theft, then what is?! And yet the ICO has the cheek to pester and punish TalkTalk over one alleged breach; one single record containing nothing worth stealing. Jokers!

  5. baby_frogmella

    @Evan
    Indeed its amazing how many people defend BT at all costs on this site, yet if you stick up for one of their rivals you’re automatically classed as a troll/ISP employee/idiot (delete as appropriate).

IMPORTANT: Javascript must be enabled to post (most browsers do this automatically). On mobile devices you may need to load the page in 'Desktop' mode to comment.


Comments RSS Feed

* Your comment might NOT appear immediately (the site cache re-syncs periodically) *
* Comments that break our rules, spam, troll or post via fake IP/proxy servers may be blocked *
Promotion
Cheapest Superfast ISPs
  • Sky Broadband £20.00 (*28.99)
    Up to 38Mbps, 25GB
    Gift: None
  • Origin Broadband £23.89 (*31.58)
    Up to 38Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Up to 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £26.00 (*35.00)
    Up to 100Mbps, Unlimited
    Gift: None
  • bOnline £26.28 (*40.68)
    Up to 40Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (1801)
  2. Broadband Delivery UK (1270)
  3. FTTC (1145)
  4. FTTP (1130)
  5. Politics (902)
  6. Openreach (858)
  7. Business (790)
  8. Fibre Optic (721)
  9. Statistics (715)
  10. Mobile Broadband (662)
  11. Wireless Internet (599)
  12. Ofcom Regulation (573)
  13. 4G (538)
  14. Virgin Media (520)
  15. FTTH (460)
  16. Sky Broadband (425)
  17. TalkTalk (399)
  18. EE (350)
  19. Security (293)
  20. 3G (255)
New Forum Topics
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules