Over the weekend, there have been a number of media reports that TalkTalk customers have suffered a range of consequential damage including that their bank accounts have been cleared out. Other customers report that they have been harassed by criminals. Actually, I think it’s unlikely that these events are related to this data-loss; they are more likely to be coincidental. What we do know is that stolen data is sold and re-sold, even rented, many times and over many years after the original theft.
The only thing that is clear is the widespread confusion about the extent, timing and consequences of the breach and about the various responsibilities and actions to be taken by the Information
Commissioners Office and the Police. It is obvious that the Government has to do more to ensure confidence in this vital industry and to protect the personal and sensitive data of millions of UK citizens from cyber-criminals.
In answers to parliamentary questions last week, the Conservative government Minister, Ed Vaizey, said that guidance to companies experiencing a data breach is issued by the Information Commissioner’s Office (ICO). But the ICO guidance is vague. It simply does not answer customers’ legitimate concerns and entitlement to compensation where appropriate. Whilst the ICO require businesses to notify them of breaches, they do not insist on customers being informed. This is clearly unacceptable. In this case, 4 million customers must wonder who they can trust with their data.
The inability of TalkTalk’s Chief Executive to confirm that, after the previous hacking attacks, she had acted to ensure that customers’ data was properly encrypted was telling. TalkTalk’s share price is down 10%. I expect that shareholders and customers will insist that heads roll in the boardroom.