The ICO has finally delivered its verdict in the TalkTalk hacking case. They’ve fined them £400k, which is a record for the current regime, and made some very telling comments – many of which echo things you’ll have heard before, if you read this blog regularly.
Three key take-aways, I think:
- £400k sounds like a lot, and TalkTalk are certainly bleating about it, but from 2018 it could have been £17.5m – or even £71.8m. That’s how much more serious the penalties will be under the forthcoming General Data Protection Regulation.
- The hack used a well-known technique that could easily have been prevented. Failing to remedy these known issues, combined with failure to encrypt, lie behind the scale of the fine.
- Elizabeth Denham, the information commissioner – who is definitely a good egg – made it very clear that cyber security is a board issue. So glad it’s not just me saying that.
The database that was compromised – and you have to wonder why it was accessible through their public website in the first place – was inherited as part of their take over of Tiscali. So one more thought: don’t forget to include IT and cyber-security in your due diligence if you’re doing any M&A.