Latest TalkTalk fine a warning to firms to keep IT systems up to date, expert says

The telecoms firm was fined £100,000 by the ICO last week for failing to sufficiently protect its customers' data by allowing staff and third-party contractors access to an "unjustifiably wide-ranging" amount of that data. TalkTalk "should have been aware of the increasing prevalence of scams and attempted frauds" and should have ensured its data security measures were sufficient to mitigate the risks, the ICO said.

The ICO found that employees of Wipro, a third party contractor based in India, were able to access TalkTalk customer information from any internet-enabled device and to view and export data from up to 500 customer records at one time. A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 TalkTalk customers.

The breach came to light in September 2014, when TalkTalk started getting complaints from customers that they were receiving calls from scammers pretending that they were providing technical support. The scammers were able to quote customers' addresses and TalkTalk account numbers.

The fine is unrelated to the record £400,000 fine TalkTalk received from the ICO last year, following a "significant and sustained" October 2015 cyber attack during which the personal data of approximately 157,000 customers was compromised. The ICO uncovered a number of "matters of serious oversight" in TalkTalk's data security practices in the run-up to that attack, which included operating outdated software and not undertaking "appropriate proactive monitoring" for system vulnerabilities.

Civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said that TalkTalk "should be very grateful that the fine happened when it did". The ICO's power to impose monetary penalties for data protection law breaches is currently limited to £500,000, but this will increase to up to £17 million or 4% of global turnover for the most serious data breaches once the EU's General Data Protection Regulation (GDPR) comes into force next May.

"All businesses, no matter their size, should be really concerned about this fine," Sheeley said.

"I am often instructed by clients concerning cyber attacks and how best to respond to the crisis. I would like to say that clients' systems are usually robust and up to date; however, this is not always the case as businesses see IT costs as a business expense and necessary evil that directors do not always understand. Boards often think that no matter how much money is spent on IT, the business will still be vulnerable – therefore, boards can think that a minimum spend is acceptable and concentrate on other areas of the business," he said.

"Businesses need to focus on their IT systems and make sure they are up to date and robust. Failure to carry out the bare minimum could result in record fines in the near future, which could destroy businesses." said Sheeley. "Businesses need to have in place crisis response plans to deal with hackers and the consequences. Such plans must include instructing appropriate experts to secure the evidence, such as hard drives and phones, and to identify the vulnerabilities and weaknesses in their systems. A crisis response plan must also include instructing civil fraud solicitors to recover any funds or data that has been lost."