Skip to main content


TalkTalk receives record £400,000 fine for failing to protect customers' data

TalkTalk, the internet service provider has been fined £400,000 by the Information Commissioner’s Office (ICO) for security failings that led to the company being hacked back in October 2015.  The fine is the highest imposed by the UK data's regulator to date and close to the statutory maximum of £500,000.

It is understood from the ICO’s investigation of the matter that serious security failings had occurred, allowing a cyber attacker to access customer data ‘with ease’.  The ICO said the breach could have been prevented if TalkTalk had taken basic steps to protect the information of its customers.

Some commentators believe the size of the fine is a sign that the ICO toughening its stance on data controllers who fail to do enough to protect personal data.

Between 15 to 21 October 2015, a cyber-attack took place in which the personal data of 156,959 customers was accessed.  Names, addresses, dates of birth, phone numbers and email addresses were accessed.  In some 15,656 cases the attacker was able to access customer's bank account details.

Elizabeth Denham, commenting for the ICO stated that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease...Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”

It has been confirmed that the technique used by the cyber attacker is called the “SQL injection”, a technique well known within the security industry.  The ICO affirmed that “the SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data”.  An aggravating feature of TalkTalk's breach was the company's failure to respond to two early warning signs that their security systems were unsatisfactory.  On 17 July 2015 there was a successful SQL attack on certain webpages, followed by two further attacks launched on 2 and 3 September 2015.

Ms Denham added “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting... [TalkTalk's] record fine acts as a warning to others that cyber-security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”

The General Data Protection Regulation, set to come into force across the EU in May 2018, could allow for fines for data breaches of up to €20 million or 4 per cent of global annual turnover could be enforced for data breaches.

A full copy of the Monetary Penalty Notices can be found here.


Click here to found out how Brett Wilson privacy solicitors can assist you if your personal data is the subject of a data leak.


Legal Disclaimer

Articles are intended as an introduction to the topic and do not constitute legal advice.