ICO: “Cyber security is not an IT issue, it is a boardroom issue”

Talk Talk

On 5 October 2016, Talk Talk was issued with a £400,000 fine – the highest fine yet from the Information Commissioner’s Office (“ICO”) – for breach of its security obligations under the Data Protection Act 1998 (“DPA”).

Between 15 and 21 October 2015 a hacker took advantage of technical weaknesses in Talk Talk’s systems and succeeded in accessing the personal data of 156,959 customers. In 15,656 cases, the attacker also had access to bank details and sort codes.

The Information Commissioner, Elizabeth Denham, said that the “fine acts as a warning that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this because they have a duty under law, but they must also do this because they have a duty to their customers.”

In addition to the fine, the costs resulting from Talk Talk’s data security breach amounted to £60 million.

Data Security Principle under the DPA

The seventh data protection principle in the DPA requires that personal information must be kept secure. It says that: “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The DPA is not prescriptive about what measure must be taken and there is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, and businesses should adopt a risk-based approach to deciding what level of security they need.

Preventative measures – lessons learnt from the ICO’s Talk Talk investigation

The ICO found inadequacies in Talk Talk’s security measures were the result of “serious oversight” rather than an deliberate intent to ignore or bypass the provisions of the DPA. The cyber-attack could have been prevented if the company had taken basic technical and security measures. In particular, the ICO identified the following issues:

• Legacy Pages: the data was part of an underlying customer database that Talk Talk inherited when it acquired Tiscali in 2009. These pages were vulnerable and Talk Talk had failed to identify and remove them or make them secure.
• Outdated Software: Talk Talk was not aware the database software was outdated. It did not know that the software had a bug or that a remedy for the bug had been publicised in 2012 and was easily available.
• Defences: The hacker used a common technique called SQL injection to which defences exist. Talk Talk ought to have known that there was a risk to the data from this technique and ought to have implemented sufficient defences.
• Lack of Monitoring: Talk Talk did not proactively monitor its systems to discover vulnerabilities.

The investigation found Talk Talk was unaware of two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 and consequently Talk Talk’s contravention of the seventh data protection principle was ongoing until it took remedial action on 21 October 2015.

The ICO considered the breach serious due to the number of data subjects, the nature of personal data and the potential consequences from the breach – the data could be used for fraudulent purposes.

Other notable cyber attacks

The Talk Talk breach is one of several security breaches to have come to light  in recent months. The size and scale of these security breaches illustrates the Commissioner’s statement that companies urgently need to take stock of their cyber security arrangements.

• Myspace: In June this year, Myspace discovered 360 million passwords and email addresses had been stolen in a hack that occurred in 2013 and these details were discovered listed on the dark web.
•  Yahoo: In August, Yahoo discovered that at least 500 million of its accounts had been hacked in 2014. Yahoo only discovered the 2014 breach because it was investigating reports of a separate breach. The theft is the world’s biggest cyber breach so far. The data stolen included names, email addresses, telephone numbers, dates of birth and encrypted passwords.
•  Tesco Bank: Early this month, Tesco Bank suffered a serious cyber-attack which affected 40,000 customer accounts. Money was stolen from 9,000 current accounts, forcing Tesco Bank to suspend all online transactions. Its security arrangements are currently being investigated by a number of regulatory bodies including the National Crime Agency and the ICO. However, a number of cyber security experts have indicated that its software was vulnerable and was being targeted by cyber criminals for months. Notwithstanding any fines Tesco Bank may be required to pay, it has already spent £2.5 million compensating customers for their losses. 

Practical steps for securing data

By being vigilant and proactive, companies ought to be able prevent significant security breaches and the regulatory fines and compensation payments incurred, not to mention the stigma that such breaches attract.

The following practical steps should be considered to enhance data security:

• Updates Policy: it is good practice to have an updates policy for software which is used to process personal data and to ensure all software components are included in the policy (e.g. operating systems, applications, libraries and development frameworks);
• Testing: regularly test and monitor online systems and software for common threats such as SQL injections;
• Unnecessary Services: completely decommission any service that is not necessary and periodically review remaining services; and
• Encryption: use encryption schemes to secure the communication of data across the internet.

Higher fines under the General Data Protection Regulation (“GDPR”)

The maximum fine the ICO is currently able to award under the DPA is £500,000. The new General Data Protection Regulation (GDPR), which will have effect from May 2018, offers the ICO the potential to fine up to 20,000,000 EUR or up to 4% of annual worldwide turnover, whichever is the higher.

That’s 20m reasons for companies to review their data security policies and practices.

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com