[BreachExchange] TalkTalk's appeal against paltry ICO data breach fine thrown out
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Sep 1 19:16:23 EDT 2016
http://www.theregister.co.uk/2016/09/01/talktalk_appeal_
against_ico_data_breach_fine_dismissed/
TalkTalk has lost its appeal against the Information Commissioner's Office
decision to fine the company £1,000 for a data breach last year.
The ICO imposed a monetary penalty on TalkTalk for its failure to notify
the Commissioner of a personal data breach within 24 hours after its
detection, in circumstances it considered were feasible for TalkTalk to
have done so.
On 16 November 2015, one TalkTalk customer accidentally obtained
unauthorised access to the personal data of another customer and was able
to see their name, address, telephone numbers, email addresses and date of
birth.
This occurred due to a problem with one of TalkTalk’s mechanisms for
keeping its customers’ personal data secure – specifically, the password
mechanism by which customers access their TalkTalk accounts online.
The customer wrote a detailed letter to TalkTalk on 18 November 2015. At
the same time the customer raised the matter with the Information
Commissioner.
TalkTalk’s main issue with the subsequent ICO penalty was that it only
became sufficiently aware of the data breach after it concluded its own
investigation into the issues raised by the customer.
However, the First Tier Tribunal General Regulatory Chamber was unanimous
in dismissing the appeal(PDF). It considered the level of detail in the
customer’s letter of 18 November "led to the inevitable conclusion that
there was no other explanation for what had occurred other than that there
had been a personal data breach."
A TalkTalk spokeswoman said: “We’re aware of our obligations to the ICO and
believe that we acted within the given time limit.”
Last year TalkTalk exec Dido Harding pocketed £2.8m in salary. There are
roughly 250 working days in the year. So even if Harding did not take any
annual leave, her average daily income last year would have been £11,200.
That means the £1,000 fee imposed by the ICO on TalkTalk would have been
worth less than one hour of Harding's time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160901/20a56b73/attachment.html>
More information about the BreachExchange
mailing list