Dido Harding revealed the figure in an interview with the BBC.
"The estimated one-off costs are between £30m and £35m – that's covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result," Harding said.
Last month TalkTalk reported that it had been the subject of a significant and sustained" cyber attack which had potentially exposed the data it held on all 4 million of its customers to the hackers. It later confirmed that a data breach had occurred but affected fewer customers – 157,000 – than had initially been feared. A UK parliamentary inquiry into the security of personal data online has been launched following the TalkTalk incident.
Separately, Experian has reported that the "one-off costs" it experienced in "directly responding" to a data breach identified earlier this autumn have been accounted for in a $20 million "income statement charge" noted in its half-yearly report (47-page / 279KB PDF). An attack on Experian's systems exposed the personal data of approximately 15 million T-Mobile customers. Experian processed credit applications made by prospective T-Mobile customers on behalf of the mobile provider.
In its half-year report, Experian said it has "received a number of class actions in respect of the data breach and is currently working with regulators and government bodies as part of their investigations". It said it has insurance coverage in place which it could benefit from "in the event of unfavourable outcomes".
Laura Gillespie, an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com, said the announcements "clearly demonstrates the massive financial strain which a regulatory breach places on a business".
"Whilst the direct costs can be counted, one questions whether the losses are, in fact, much higher when you consider the reputational damage suffered," Gillespie said. "Businesses should ensure that their compliance programmes and IT systems are reviewed and updated regularly to ensure they are fit for purpose."
The figures should remind businesses of the need to ensure that information security is high on "the corporate agenda", said information law expert Lucy Jenkinson of Pinsent Masons. Jenkinson said the potential cost of management and staff time in responding to such a breach should not be underestimated.
Kuan Hon of Pinsent Masons, a data protection lawyer with computer science expertise, said companies need to develop a cyber incident response plan to recognise the near inevitability of an information security breach affecting them.
"Having a cyber incident response plan in place in advance of an incident and rehearsing that plan can be the difference between a large bill and an astronomical one for businesses that experience an information security breach. The more quickly a breach can be addressed and contained, the lower the costs are likely to be – and being properly prepared and rehearsed will help to speed up incident response," Hon said.
Hon said that the figures quoted by Harding "dwarf" the average cost of the worst data breach incidents recorded in a joint UK government and PwC report published in June. That report said the worst data breach incidents are costing UK businesses between £1.5 million and £3m on average through business disruption, lost sales and assets and damage to reputation. Hon said businesses would also likely have to account for additional security and legal service costs to deal with the aftermath of the breach, including the implementation of additional security measures.
New EU data protection laws under negotiation are likely to introduce a new obligation on all businesses to report personal data breach incidents to regulators and affected individuals. At the moment only companies in certain sectors, such as telecoms, must notify data breaches.
In August the UK's data protection watchdog raised concerns that it will be swamped with notifications from organisations about minor data breaches as a result of the proposed reforms to EU data protection laws.
Under the reform plans backed by MEPs, organisations would be required to report any personal data breach without undue delay.
Alternative data breach notification rules backed by the Council of Ministers would, if introduced, require organisations to notify data protection authorities of personal data breaches they experience where the breach is "likely to result in a high risk for the rights and freedoms of individuals", such as where there is a risk of identify theft or financial loss. Notification would have to be made "without undue delay and, where feasible, not later than 72 hours" after organisations become aware of the breach.
The data protection reforms also promise to introduce much stiffer financial penalties for failings on data security, Gillespie said.
"It is clear that managing the fall out of a breach has colossal impact on a business operationally and financially," Gillespie said. "The potential financial burden could further increase in the future as the current draft of the EU General Data Protection Regulation proposes fines of up to 2% of global turnover. This compares with the £500,000 upper limit on the fines the UK's Information Commissioner's Office can currently issue."
Gillespie has previously outlined how businesses that experience data security breaches can use the law of legal privilege to investigate the circumstances of those breaches without fear that internal investigation documents will be used against them by regulators or litigants.