» ISP News » 

ICO Upholds £1,000 Fine Against TalkTalk for Personal Data Breach

Friday, September 2nd, 2016 (3:04 pm) - Score 1,093

The Information Commissioner’s Office (ICO) has upheld a £1,000 fine against UK phone and broadband provider TalkTalk after the ISP failed to inform the watchdog that a personal data breach had occurred on its system (the provider should have done this within 24 hours of becoming aware).

The breach, which is not related to last year’s cyber-attack on the ISP, occurred on 16th November 2015 when one of TalkTalk’s customers “accidentally obtained unauthorised access to the personal data of another customer” and was able to see the other users name, address, telephone numbers, email addresses and date of birth.

Apparently the situation occurred due to a problem with one of TalkTalk’s mechanisms for keeping its customers’ personal data secure – specifically, the password mechanism by which customers access their TalkTalk accounts online. The customer promptly notified both the ISP and ICO on the same day and two days after that they also followed it up again with a detailed letter.

The ICO then raised the issue with TalkTalk on 20th November and the ISP confirmed reception of that letter. However it then took until 27th November before TalkTalk’s Information Security Officer, Mike Rabbitt, was able to confirm that an investigation had been started, although they didn’t officially confirm that a data breach had occurred until 1st December.

TalkTalk claims that the delay in reporting the breach was because “the incident had not been reported to either [TalkTalk’s] Information Security or Fraud team.” In February 2016 the ICO informed TalkTalk that they intended to impose a fine for the reporting failure, which TalkTalk opposed and ultimately the case went to appeal.

Suffice to say that the Tribunal was unanimous in dismissing TalkTalk’s appeal.

HM Courts & Tribunals Service Ruling

The Tribunal consequently concluded that TalkTalk had sufficient awareness of the breach and that a personal data breach had been detected upon receipt of the customer’s letter of 18th November. The Tribunal strongly suspected that TalkTalk in fact had sufficient awareness of the breach when the customer telephoned on 16th November but were hampered in reaching any conclusion on this point by the failure of TalkTalk to provide any details of that initial complaint.

As part of their counter-argument TalkTalk revealed that the complaints they received about potential personal data breaches amounted to around 50 per month. However the Tribunal was apparently unimpressed by “the contention that holding that ‘sufficient awareness’ in this case arose from the customer’s letter would place an unreasonable burden on service providers“.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
16 Responses
  1. A says:

    £1000 fine? Well this is going to really show major companies who handle and store our data insecurely to encrypt and secure our data. This wasn’t their first time either. Ridiculous.

    1. mrpops2ko says:

      yeah jesus – i thought £1000 per breached user, which would be reasonable of a fine – thats the whole point, the fines should be punitive in nature in order to dissuade these shoddy companies from not paying proper wages to an IT department that properly follows security protocols.

  2. Optimist says:

    Mr Rabbitt of Talk Talk – I love it!

  3. Evan Crissall says:

    More of the same from the ICO — an extension of the same-old propaganda offensive targetting TT.

    In this case, using just the one complainant (singular) reporting a solitary data violation. Who was that complainant, btw? A real person? Or not. Either way, no proof of systemic failure in data security; just a one-off hiccup, at worst.

    But the token £1k fine – for that single insignificant failing. Providing pretext for ICO to strut around like prize peacocks, issuing mindless Press Releases about the perils of doing business with TalkTalk.

    Yet the actual value of the disclosed data is close to zero. Most all of that data (and much more) can be gotten from public sources.

    Name, address, DOB – is on publicly available electorals, for chrissake. [ DoBs requiring access to historical electorals showing date when voter turned 18]

    Interestingly, ICO shows no interest – ignoring repeated complaints to date – over a genuinely serious data privacy violation. That concerns a UK parcel courier:

    Here’s the tracking website for the parcel company. Try replacing the last xxxx with digits. That gives you the full name and address of EVERY parcel recipient, the sender, parcel contents, weight and value, and even instructions for where parcel should be hidden if no one at home!


    And yet the ICO doesn’t give a toss over complaints about that?? Costly bunch of clowns! Playing their own propaganda games with TalkTalk (on behalf of whom??)

    1. FibreFred says:

      More conspiracy theory’s deduction ?

    2. captain.cretin says:

      Please read the story, if not here, then somewhere else and in depth.

      The fine isnt for the data breach, the fine is for taking so long to do anything about it.

      Apart from being useless at keeping data safe, TT are worried, this type of thing becomes a much more serious event under new regulations that come into force soon, so TT tried to have the breach and the fine over-turned to stop it being used as a benchmark for their next failure.

      BTW, as I understand it, £1,000 is the maximum they can be fined under the current regs for this particular offence.

    3. New_Londoner says:

      Let’s not forget that TalkTalk suffered 4 breaches in a year. A bit odd to blame the ICO for Dido’s incompetent cyber security policies!

    4. Optimist says:

      Evan, I wonder how many of One World Express’s customers know that their personal data is compromised?

  4. Evan Crissall says:

    All the sillier that £1k fine was not for alleged data breach but simply for not reporting to ICO within 24 hours. As if that would have made iota of difference.

    We still don’t know what the alleged failure was actually about. Was it a one-off human error? If so, would that really matter? Humans err; get over it. Our postie regularly delivers wrong mail intended for neighbours. Should postie get £1k fine every time he fluffs?

    According to above author, failure here was in “one of TalkTalk’s mechanisms for keeping customers’ personal data secure – specifically, the password mechanism by which customers access their TalkTalk accounts online.”

    Doesn’t sound like a systemic weakness in security mechanism; else why just the single complaint? No one else reported a problem?

    Storm in a teacup, imo. Cooked up by clowns at ICO to keep the flame-gun on TalkTalk; to damage the business, and boost rivals.

    It’s not as if rival BT is without security failings of its own. Remember the huge leak of “up to a million” subscriber records from its BT Sport programme?? Where are the £1k fines for each of those failings?? ICO behaving, wrt TalkTalk as a malicious government propaganda unit.

    As for what this TT record was actually worth – precisely nil, I would say. By way of comparison, take a peek at Companies House records; where the data controller is gummint itself.

    And where we find full names and addresses, email contacts, telephone numbers, dates of birth AND even scanned signatures! If that’s not a recipe for ID theft, then what is?! And yet the ICO has the cheek to pester and punish TalkTalk over one alleged breach; one single record containing nothing worth stealing. Jokers!

    1. captain.cretin says:

      Red Herring examples,,, do you work for TT??

    2. Evan Crissall says:

      How long have you been a sockpuppet for BT, captain.cretin?

    3. FibreFred says:

      I assume as you’ve flipped to abuse mode you have no examples ?

    4. captain.cretin says:

      You obviously dont read any of my posts, I detest BT, and if I could get away with not paying line rental to them I would.

      So…. no genuine, relevant examples then???

      Of course I could get abusive in return, and suggest Evan works for North Yorkshire Police :-p

    5. FibreFred says:

      Interesting. .. 🙂

  5. baby_frogmella says:

    Indeed its amazing how many people defend BT at all costs on this site, yet if you stick up for one of their rivals you’re automatically classed as a troll/ISP employee/idiot (delete as appropriate).

    1. Dumb argument says:

      “Indeed its amazing how many people defend BT”

      Its obviously only one.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
New Forum Topics
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3667)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1717)
  8. Mobile Broadband (1501)
  9. Statistics (1430)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1196)
  13. Fibre Optic (1184)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (792)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact