denisovd - Fotolia

TalkTalk could face huge data breach compensation cost

Some commentators have suggested that the future of TalkTalk could be in jeopardy, with lawyers looking at potential compensation claims of £1,000 by thousands of customers

TalkTalk could be facing huge compensation costs in connection with the recently disclosed cyber attack and potential breach of the personal data of its four million customers.

Less than a week after the news that Sony Pictures is to pay $8m in compensation to former employees affected by data leaks that followed a cyber attack on the company in 2014, TalkTalk is facing a similar situation.  

While Sony is unlikely to be affected by the payout in the long run, some commentators have suggested that the future of TalkTalk could be in jeopardy, with lawyers looking at compensation claims of £1,000 on behalf of thousands of customers and the total lost income expected to be as high as £75m, according to the Daily Star.

But the exact number of customers affected is still unknown, making it impossible to estimate what the total compensation cost could be.

TalkTalk has confirmed that defence company BAE Systems is to investigate the cyber attack that could have compromised the personal data of its customers.

BAE's Applied Intelligence division spokeswoman said the company's cyber specialists are analysing "vast quantities" of data to help establish how the breach took place and what information was stolen, according to the International Business Times.

Scotland Yard is also investigating alongside the National Crime Agency, but no arrests have been made.

Officers are examining a ransom demand sent by someone claiming to be responsible for the attack and seeking payment – but TalkTalk said it is not yet clear if the message is genuine.

The data breach is also under investigation by the Information Commissioner’s Office (ICO), which is currently empowered to impose a monetary penalty of up to £500,000 if TalkTalk is found guilty of severe data protection failings.

TalkTalk has downplayed the potential impact of the breach, emphasising that only its website was attacked and not its core systems, which means only partial credit card numbers were exposed, making them theoretically useless to cyber criminals.

“We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account,” the company said in a statement.

Loss of personal data extremely serious

However, cyber security experts have said the loss of personal data alone is extremely serious. “Media outlets focus heavily on the stolen credit card numbers, however, in practice, for the average person the theft of personal data is much more critical,” said Imperva co-founder and CTO Amichai Shulman.

“My advice to customers would be to keep a close eye for fraudulent activity on bank accounts and be particularly vigilant of phishing attacks,” he added.

The theft of financial information credit card or account information has a limited lifespan because these things can be changed, said HP Data Security vice-president Andy Heather.

“But the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed,” he said.

Read more about data breaches

According to Heather, the selling price for a single stolen credit card is around $1, but if that card information is sold with a full identify profile, that can dramatically increase up to $500.

“If the cyber criminals know where the real value is then surely we should all expect a responsible organisation to pay appropriate attention to keeping our personal information safe,” he said.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected.”

According to TalkTalk chief executive Dido Harding, cyber attacks are happening to a huge number of organisations all the time.

“The awful truth is that every company, every organisation in the UK needs to spend more money and put more focus on cyber security – it's the crime of our era,” she told the Telegraph.

Harding said it was “too early to say” whether the company will establish a compensation fund to handle the fallout from the attack because it was still unclear how many customers had been affected and to what degree, according to the Guardian.

Encryption will not stop all cyber crime

While TalkTalk has been criticised for not ensuring that all data was encrypted, some security experts have pointed out that encryption will not stop all cyber intrusions.

While encryption will ensure that any raw data captured by cyber criminals is unusable, independent security consultant Graham Cluley pointed out that a high proportion of data breaches are carried out using compromised credentials.

This means the data is accessed using the credentials of legitimate users, which in turn means the data will be decrypted automatically when it is accessed by a criminal using stolen credentials.

If a hacker uses a SQL-injection vulnerability or any other vulnerability to get root priviledge, the hacker can then log on as any user, said Cluley.

“And because he's an authorised user, he has all the access to the sensitive database that the kosher user has,” he wrote in a blog post.

Tim Erlin, director of IT security and risk strategy at Tripwire, said that while it is important for any organisation that collects, stores or transmits personal information to ensure the data is encrypted at rest and in transit, encryption alone is not a perfect solution to data theft.

“The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use,” he said. 

However, business advisory firm CEB said that when responding to the news of the potential personal data breach at TalkTalk, other organisations should not focus on investing in new technology alone.

CEB IT practice leader Jeremy Bergsman said the cyber attack on TalkTalk has led many other organisations to consider what can be done to stop these kind of attacks.

“While many companies are focused on fancy new security tools that attempt to leverage big data, it turns out that a focus on the basics is more important,” he said.

Bergsman said research shows that more than 99% of successful data breaches in 2014 exploited a vulnerability that was more than a year old, while more than 50% of breaches are the result of employee behaviour, such as opening a phishing email with damaging links or attachments.

“The fact that most breaches could have been stopped by patching known vulnerabilities or avoiding employee mistakes shows that the most important thing for an organisation to focus on is basic protections consistently applied, and helping employees understand their role in keeping information safe and having clear policies on risk and compliance,” he said.

“At the same time security controls can’t be too much of a burden; chief information security officers need to realistic about the demands on employees’ time and resources.”

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

All I can say is wow.. It looks like another costly breach and the lawyers are lining up to file suit. Granted identity theft is a real issue and some of us may already be victims and not even know it. Cases like this may be hard to prove in court that you have actually been compromised. I know a few years ago, my wife was contacted by our mortgage company. Her personal info, and many others was compromised by an internal source. They provided her with 5 years of identity theft protection. Nothing happened to her as far as were were aware of. That has to go back now about 15 years and still no problems. If we got a lawyer and got settlement for something that never caused us a problem I'd feel guilty.
At the end of the day it is totally wrong for TalkTalk to not allow people to leave their contracts early.

If someone stores your data unencrypted AND allows their systems to be breached then they have seriously let you down and broken your trust.

To then tell people that unless they can afford expensive contract termination penalties then they MUST allow TalkTalk to continue to be the guardians of their data, that is totally wrong.

Their argument is counter-intuitive, they are saying you can leave early IF you can prove you have been the victim of fraud due to the breach. The people who should be most concerned are those who's information has not yet been sold around the dark web! Yet these are the people who aren't allowed to reclaim their data. Crazy.

TalkTalk have lost the right to demand anything.

Furthermore, I think it is entirely right that TalkTalk should pay up in terms of compensation too.

Even impartial companies like Which agree that 'This is the bare minimum from TalkTalk'. I for one will absolutely be claiming talktalk compensation if it becomes available.

Actions have consequences