Maksim Kabakou - Fotolia

Government committee calls on TalkTalk to publish breach report

A government committee inquiry into the TalkTalk cyber breach calls for more fines and other measures to ensure greater protection of personal data

TalkTalk should publish a PricewaterhouseCoopers (PwC) review of its systems, according to a government committee investigating the data breach at the company in October 2015.

The Department of Culture, Media and Sport Committee also called for the Information Commissioner’s Office (ICO) to introduce fines for delays in reporting personal data breaches, and made several other recommendations in its inquiry report.

The committee launched an inquiry to examine the circumstances of the breach that saw the personal information of 155,000 people compromised and lost the broadband provider 100,000 customers, and between £40m and £45m in costs.

The inquiry was also aimed at examining the wider implications of the breach for telecoms and internet service providers (ISPs).

The committee looked at cyber security and the response to cyber crime and broader issues around data protection.

As part of the inquiry, the committee heard evidence from TalkTalk chief executive Dido Harding and the ICO.

The committee said it awaits the outcome of the ICO investigation into TalkTalk cyber attack and data breach, and notes the comment from the ICO that the time taken for the investigation is partly due to the international dimension to the investigation.

“We accept this, but regret that – some eight months after the breach – customers are no closer to a clear understanding of what happened,” the report said.

The committee said it seems evident that 30 enforcement staff at the ICO are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation.

“We suggest that the new information commissioner make an assessment of resources and priorities as soon as possible,” the report said.

Read more about data breaches

The committee said although final judgement as to how the breach occurred must await the PwC review report commissioned by TalkTalk, it recognises the strong crisis management response by TalkTalk and the prompt response and leadership shown by Dido Harding. 

“However, it is important that TalkTalk publish as much of the PwC investigation as commercially possible without delay, and set out how they will implement any necessary changes,” the report said.

Although it is appropriate for the CEO to lead a crisis response, the committee said cyber security should sit with someone able to take full day-to-day responsibility, with board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber attack.

“To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security,” the report said.

According to the committee, there needs to be a “step change” in consumer awareness of online and telephone scams. “The government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing,” the report said.

Companies should also provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine, the report said.

Security by design

The committee recommends that ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.

“A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine,” the report said.

The committee said it was “surprised” that there is no requirement to make security a major consideration in the design of new IT systems and apps.

“We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary,” the report said.

Advice for consumers

In major organisations, where the risks of attack are significant, the committee recommends that the person responsible for cyber security should be fully supported in organising realistic incident management plans and exercises. This includes planned communications with customers and those who might be affected, whether or not there has an actual breach.

“Telecoms companies should clarify this point in simple language for consumers, so that they can make an informed choice when choosing a service or product,” the report said.

The committee said it should be easier for consumers to claim compensation if they have been the victim of a data breach.

The report said there are a number of entities, such as the Citizens Advice Bureau, that could provide further advice to consumers on seeking redress through the small claims process.

“It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process,” the report said.

Cyber Essentials and the ICO

All telecommunications companies and online retailers – and other cyber-vulnerable organisations – should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers, the report said.

Cyber Essentials, however, should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands.

“The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities. They should also include best-practice examples of how to inform, in an appropriate way, those affected,” the report said.

“[This will allow companies] to strike the best possible balance between protecting information that is sensitive to police investigations, while recognising consumer/customer requirements to be made aware of a breach that may affect them.”

This is particularly relevant, the committee said, as the EU General Data Protection Regulation (GDPR) will extend the obligation to inform consumers to all companies and organisation, not just telecommunications companies and ISPs.

Report calls for higher fines for delays

According to the committee, the ICO should introduce an incentive structure that inhibits delays, such as escalating fines for delays in reporting a breach.

“At present, the ICO can only issue a fixed fine of £1,000 for failure to report a data breach. There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications” the report said.

“We concur with the ICO, that while the implementation of the GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.

“We therefore support the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.”

Companies and other organisations need to demonstrate not just how much they are spending to improve their security, but that they are spending it effectively, the report said.

In this regard, the committee recommends that that organisations holding large amounts of personal data should report annually to the ICO on:

  • Staff cyber-awareness training, when their security processes were last audited, whether they have an incident management plan in place and when it was last tested.
  • What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine.
  • The number of enquiries they process from customers to verify authenticity of communications.
  • The number of attacks of which they are aware and whether any resulted in a data breach.

Privacy seal

There is an urgent need for a mechanism that is easily understood by consumers to maintain consumer confidence and inform consumer choices, the report said.

The committee said it therefore supports the ICO’s plan to create a privacy seal to be launched later in 2016, which would be awarded to entities that demonstrate good privacy practice and high data protection compliance standards.

“It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress and which have yet to take the issue seriously,” the committee said.

Nevertheless, the committee said the ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors.

Warning about Investigatory Powers Bill

Finally, the committee said the vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the government.

During the oral evidence session, the report said the ICO issued a stark warning about the Investigatory Powers Bill, currently before Parliament.

“The ICO said that it creates a ‘haystack of potential problems’, given the huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches. We also received evidence from academics who agreed on this point,” the report said.

Part of the government’s response, the report said, could be to require enhanced security requirements and background checks for those with access to large pools of personal data, while data controllers should seek to control and limit access to such pooled data.

Read more on Privacy and data protection