Specialist Lawyer Says Cybercrime Threatens All Businesses

The recent security breach at TalkTalk highlights the growing danger of cyber-attacks in the UK, but according to a leading legal expert at national law firm, Irwin Mitchell, it is important to recognise that it isn’t just large, high-profile businesses that are at risk.

This is TalkTalk’s third major security breach in 10 Months.  The Information Commissioner is already investigating the two previous security breaches involving the company. In December 2014, customers received India Based scam calls, followed by a similar re-occurrence in February 2015. TalkTalk described the information that was stolen as ‘non-sensitive’. 

TalkTalk’s CEO Dido Harding stated at the weekend that the hack ‘was not as bad’ as first feared and that the company was under no legal obligation to encrypt customers’ sensitive data.

There are a number of legal issues in play here.

The Information Commissioner has the power to impose monetary penalties for data breaches, capped at £500,000. A fine of £250,000 (at the time the maximum penalty) was previously imposed on Sony Computer Entertainment Corporation after PlayStation customer data was leaked, the customer data had not been encrypted (although credit card details had).  The Information Commissioner said that the hack and consequent security breach could have been avoided if the software had been up to date. 

Whilst encryption might seem an obvious and a proportionate approach to protecting preserving sensitive data, so far as the Data Protection Act is concerned, there is no explicit obligation to encrypt.  Under the Data Protection Act, ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.  However, the Information Commissioner will look at whether Talk Talk’s security measures were good enough, notwithstanding the fact it was the subject of a determined criminal attack.

In addition to action from the Information Commissioner, TalkTalk could face a barrage of claims from its customers if it is shown  it has breached the Data Protection Act and its customers have suffered financial damage and/or distress.

Georgie Collins, Partner and specialist intellectual property and media lawyer at Irwin Mitchell, said: 

“The TalkTalk hack is just another example of cyber-crime that threatens all businesses. Whilst we have seen some high profile hacks, including JP Morgan, Sony, and Ashley Madison, the reality is that cyber attacks happen constantly with only the newsworthy breaches making the headlines.  Large or small, all the cases have one thing in common: customer data is liquid gold.”

What can you do if you are a TalkTalk customer?

If you are worried about your data, here are some immediate actions you can take to protect yourself:

Beware of scam phone calls
If you receive any phone calls for someone claiming to be from TalkTalk, do not give your private information; TalkTalk states that it never asks customers to give their full passwords or PIN codes over the telephone.  If you are unsure if the caller is really from TalkTalk, ask for their name and call the company back on its customer service helpline.

Beware of emails
Hackers often send emails that have the appearance of originating from an organisation you trust but are really a scam and attempt to elicit your personal information.  Do not send your personal information over email and avoid clicking on links in a email which might be part of a ploy to redirect you to a phishing site. 

Password change
Change your passwords as soon as the TalkTalk website is back up an running.  If you have used the same password across multiple accounts try to use a different password for each account.

Bank account
Check your bank account to ensure there have been no suspicious transactions. If you do see something suspicious contact your Bank and the national fraud reporting centre, Action Fraud on 0300 123 2040.

Irwin Mitchell can provide support for businesses which are concerned about the dangers posed by cyber-attacks. The leading national firm can help in the first instance by minimising the threat of attack by ensuring the right contracts are in place to minimise risk of information leakage. This includes an assessment of network and data security; advice on strategies to comply with regulation; conducting a cyber-security health check and the implementation of a cyber-security plan. The firm will take action to deal with an attack if it does occur and  maximise protection against risk.