TalkTalk hack raises important questions about regulation and data protection

Written by James Thomas on Monday November 2, 2015

The details that have emerged since the 21 October cyber attack on TalkTalk raise some serious questions not only for the broadband provider itself but for any business holding sensitive customer information.

The first bombshell was that the breach was apparently the result of a relatively unsophisticated attack, which experts suggest a company the size of TalkTalk should have had ample safeguards against. Moreover, the possibility that the attack may have been carried out by a fifteen-year-old boy acting alone is massively concerning.

The second major issue concerns the confused messages coming out of TalkTalk in the wake of the hack. There has been uncertainty, for example, as to how many of the company’s 4 million-plus customers have been affected and as to whether customers’ bank account details have been at risk in addition to their personal information, with CEO Dido Harding admitting that she didn’t know whether customers’ details had been encrypted or not. 

Meanwhile, her suggestion that, with the benefit of hindsight, the company should have done more to protect customer data is something of a throwaway sentiment, given that TalkTalk had been affected by two other cyber attacks since February of this year after which it claimed to have taken steps necessary to safeguard data.

A third area that the case highlights is the apparent nebulousness of the legal framework surrounding the protection of customer data, with Baroness Harding insisting to The Sunday Times that: "We have complied with all of our legal obligations in terms of storing of financial information." While the Information Commissioner’s Office will doubtless now be scrutinising that claim very closely, at the heart of it lies a single sentence within the Data protection Act: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” 

Of course, in a sphere as dynamic and fast moving as cyber security, the meaning of “appropriate measures” may be highly transient. What was appropriate one year will probably not be appropriate the next. Regulation routinely treads the line between prescription (carrying with it the risk that excessively detailed rules are either rapidly overtaken by events or are followed in letter rather than spirit) and excessive flexibility (that allows for broad interpretations that may not in practice achieve the intended outcome).

It will take some time for the dust to settle on the TalkTalk case. However, perhaps one immediate lesson is that, going forward, there may be a need for a more open, regular and on-going dialogue between industry and the authorities regarding the nature and evolution of the cyber threats that firms are exposed to, and that the two should work more closely together on the development and maintenance of best practice with regards to countering such threats.

To stay updated on the latest developments in governance,risk and compliance, anti money laundering and financial crime prevention, please follow us on either LinkedIn, Facebook and Twitter where you are guaranteed to be notified when our next blog post goes live!

If you're interested in an ICA qualification more information can be found on our ICA certificates and diplomas page. Alternatively, please call +44(0)121 362 7506 and we’ll happily talk you through your study options.