Earlier this month, it was reported that internet service provider TalkTalk had been issued with a record £400,000 fine from the Information Commissioner’s Office (ICO) for failing to protect personal data from an easily avoidable cyber-attack. However, under new data protection laws coming into force from May 2018, the scale of the fine for a similar breach could be significantly higher, as fines could be up to 4% of a business’ global annual turnover (or €20,000,000, whichever is the greater).
The incident itself occurred between 15 and 21 October 2015, with the attackers obtaining the personal information of 156,959 people. This data included customers’ names, addresses, dates of birth, telephone numbers and email addresses and, in the case of 15,656 individuals, their bank account details and sort codes. Whilst these precise figures are now available, at the time of the breach TalkTalk knew neither how much data nor what kind of information had been taken by the attackers.