The ICO found that the attacker was able to access customer data "with ease" and could have been prevented if TalkTalk had taken basic steps to protect the data. Information Commissioner Elizabeth Denham said, "TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease" and that "today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue."
Peter Barbour, Head of Response at Context said, "While this is the ICO’s biggest ever fine, it is just a drop in the ocean of fines to come under the General Data Protection Regulation (GDPR), which is due to come into force in the UK in May 2018. Organisations need to be preparing for GDPR, in part to ensure they are not penalised with much more significant fines. In the TalkTalk case, under GDPR, it has been claimed that the fine could potentially have reached up to £73M – under GDPR you can be fined up to €20 million or 4% of your organisation’s global annual turnover, whichever is greater."
"Beyond the fines, organisations also need to consider costs associated with loss of business, customer confidence and share price, as well as the reputational harm that follows a significant breach."
Tim Erridge, Director of Cyber Advisory at Context said, "This really highlights the importance of getting a robust Cyber Operational Risk programme in place for your organisation now. This will help ensure that you are able to show you have done your cyber due diligence should a breach occur in a post GDPR landscape. Upfront investment to improve cyber resilience, especially detection and response capabilities, would have been a fraction of the overall cost impact of the breach."
"However although everyone is talking about the fine, which is unprecedented and will most likely increase in future, there is really another significant precedent that has been set, in terms of accountability and the failure to adequately protect clients’ personal data. If I were charged with that mission right now, I would be taking a really honest look and asking: a) is my organisation doing enough to minimise potential compromises to client data, and if so, b) am I able to evidence due diligence to my regulators, board, shareholders and customers."
If you would like more information on how to improve your network and data security, please do get in touch.