Data protection implications of the TalkTalk hack: how securely do you safeguard customer data?

Last Wednesday, TalkTalk fell victim to a large-scale UK cyberattack.

By using what appears to have been a ‘distributed denial of service attack’ followed by an ‘SQL injection attack’ the hackers are reported to have downloaded the sensitive information of millions of the telecoms company’s customers, including their dates of birth, addresses, bank account numbers and sort codes.

 

In addition to the reputational damage it is suffering, TalkTalk is facing the costs of replacing customer credit cards and providing complimentary credit monitoring, as well as numerous potential claims for damages.

TalkTalk’s CEO has stated that the financial information that the hackers appear to have taken is not on its own enough for them to access customers’ bank accounts; credit card details taken by the hackers were “tokenised” (a security measure whereby some numbers are replaced with asterisks).

However, the bank account information is enough to leave victims open to scammers and identity fraud. This could potentially prove costly in light of the Court of Appeal’s recent decision in Google v Vidal-Hall & Others that customers can bring a claim for compensation for distress under the DPA even where there has not been any pecuniary (financial) loss.
 

Google Inc v Vidal-Hall & Others (2015) | Damages for distress under the DPA

Section 13 of the DPA provides that an individual who suffers distress due to a company’s breach of that Act can claim compensation for distress if the individual also suffers damage by reason of that breach. This has been a problem for claimants in the past who have struggled to demonstrate that the relevant breach caused them financial loss.

However, in Google v Vidal-Hall & Others, the Court of Appeal found that it would be “strange” if European data protection legislation could not compensate those individuals whose data privacy had been invaded … so as to cause them emotional distress (but not pecuniary damage).” Accordingly, and creating a significant development in data protection law, the Court ruled that financial loss was not necessary for individuals to claim compensation in respect of distress under the DPA.

The ongoing TalkTalk revelations are a reminder to businesses to ensure that their security measures and business practices are optimised for the types and volumes of personal data which they process, and that these are reviewed regularly.

As the ICO advises, “there is no ‘one size fits all’ solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so businesses should adopt a risk-based approach to deciding what level of security is required”.

The ICO’s enquires surrounding the TalkTalk breach and the security measures the company had in place to safeguard personal data are ongoing.