Over the weekend, there have been a number of media reports
that TalkTalk customers have suffered a range of consequential damage including
that their bank accounts have been cleared out. Other customers report that
they have been harassed by criminals. Actually, I think it’s unlikely that
these events are related to this data-loss; they are more likely to be
coincidental. What we do know is that stolen data is sold and re-sold, even
rented, many times and over many years after the original theft.
The only thing that is clear is the widespread confusion about
the extent, timing and consequences of the breach and about the various
responsibilities and actions to be taken by the Information
Commissioners
Office and the Police. It is obvious that the Government has to do more to
ensure confidence in this vital industry and to protect the personal and
sensitive data of millions of UK citizens from cyber-criminals.
In answers to parliamentary questions last week, the
Conservative government Minister, Ed Vaizey, said that guidance to companies
experiencing a data breach is issued by the Information Commissioner’s Office
(ICO). But the ICO guidance is vague. It simply does not answer customers’
legitimate concerns and entitlement to compensation where appropriate. Whilst
the ICO require businesses to notify them of breaches, they do not insist on
customers being informed. This is clearly unacceptable. In this case, 4 million
customers must wonder who they can trust with their data.
The inability of TalkTalk’s Chief Executive to confirm that,
after the previous hacking attacks, she had acted to ensure that customers’
data was properly encrypted was telling. TalkTalk’s share price is down 10%. I
expect that shareholders and customers will insist that heads roll in the
boardroom.
