back to article TalkTalk gets record £400k slap-slap from Brit watchdog

The UK Information Commissioner's Office (ICO) has issued TalkTalk with a record £400,000 fine for allowing attackers to access customer data “with ease”. The penalty comes at the same time as the ICO publishes its in-depth investigation of last October's megabreach, which the office claims “could have been prevented if …

  1. Queeg

    Not enough 0's

    1. Don Dumb

      @Queeg "Not enough 0's"

      It had the most 0s the authority could hand out. According to the Beeb, the maximum fine is £500,000.

      1. Charlie Clark Silver badge

        It had the most 0s the authority could hand out.

        Which tells us all we need to know about the ICO's rubber teeth: should per customer (works out at less than £3 per customer), or % of turnover (as proposed in the new EU data protection directive).

        1. Don Dumb

          @Charlie Clark - I don't disagree. I just wouldn't want this to be blamed on the ICO itself so much as the people who gave it its mandate.

      2. cd / && rm -rf *

        "It had the most 0s the authority could hand out"

        So the ICO gave TalkTalk a good gumming. Talk about toothless watchdogs.

        1. AMBxx Silver badge

          The fine is effectively paid by shareholders. Would be better if someone senior at TT was held accountable.

          1. Ken Hagan Gold badge

            @AMBxx: It is the shareholders' job to hold someone senior accountable. Since the fine is a small fraction of the amount that the shareholders pay to the senior management, the shareholders may well take the view that this is a minor slip-up and "these things happen".

        2. tmTM

          Re: "Talk about toothless watchdogs"

          Did someone mention the Advertising Standards Authority ?????

      3. Random Handle

        >According to the Beeb, the maximum fine is £500,000.

        Yep - it needs a amending to per user not incident. Where the 157,000 had their bank details leaked maybe £10K a head dropping to maybe £1K a head for email/hashword combo. Rising up to the full whack (or higher) when someone ends up dead or injured.

        Unlikely to change or attract Government interest in changing it when the company is run by a Conservative Peer of course - which is why she is worth every penny of her £2.8 million

        1. Anonymous Coward
          Anonymous Coward

          I understand the sentiment, but how does sending a company to the wall, leaving customers without service and thousands of people jobless, help?

          If you make penalties too harsh (in all areas of life) you just increase the incentive to not get caught. It's possible to weight the scales so that the rational choice is to spend most effort on avoiding detection rather than trying to stop the bad thing happening.

          Making people personally liable is also a bad idea, for much the same reason. Security isn't improved if you can't fill the posts. I don't want my wife and kids losing their home because a contractor screwed up in work done before I'd even joined a company.

          The purpose of a fine or other punishment is to provide incentive for improved behaviour. If you kill the company there is no incentive.

          1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      >Not enough 0's

      Not enough rope.

    3. Anonymous Coward
      Anonymous Coward

      TalkTalk gets record £400k slap-slap

      The penalty should be a lot more [£4 miillion] but if it's close to the max that's it. Don't forget there were two other TalkTalk data breaches before the TalkTalk website hack. Roll on 24th May 2018, after that allowing this sort of thing comes under criminal law! CEO's take note & get their lawyer to read the Irish Nationality and Citizenship Act, 2004

      1. Lord M4x

        Re: TalkTalk gets record £400k slap-slap

        Irish nationality won't save you. On the 1st of August this year, the amended EU Data Protection act Regulation 2016/679 came into force.

        Effectively, there is a legal obligation to disclose data breaches and a possible fine of up to 4% of GLOBAL revenue for failing to protect customer's data.

  2. Anonymous Coward
    Anonymous Coward

    As a TalkTalk customer, I say good.

    That said, they'll probably put the prices up again to cut their losses, the greedy bastards.

    1. Anonymous Coward
      Anonymous Coward

      >As a TalkTalk customer, I say good.

      >That said, they'll probably put the prices up again to cut their losses, the greedy bastards.

      They just paid Baroness Harding (CEO) £2.8 million in salary & incentives, £400K is a rounding error.

      If you're still a TalkTalk customer, I'm sorry to say it, but you deserve to suffer (and will).

      1. Anonymous Coward
        Anonymous Coward

        The only choice in my area is them or BT...

        1. Doctor Syntax Silver badge

          "The only choice in my area is them or BT"

          Where's that? I find it difficult to believe that such an area exists.

    2. Anonymous Coward
      IT Angle

      But why...

      Are you still a TalkTalk customer? Honest question. It intrigues me.

      1. Anonymous Coward
        Anonymous Coward

        Re: But why...

        Unfortunately I'm stuck in a contract with them and would have to pay to get out of it..

        1. Captain Scarlet

          Re: But why...

          Hmm odd you think they won't make it difficult for you to leave them once the contract has ended?

          1. Anonymous Coward
            Anonymous Coward

            Re: But why...

            Well when you leave check your bill as the so**s [dirt lumps] will charge you for items you paid for up front on joining like line rental. TalkTalk will say they will adjust it in a months time. Well after all the porkies they told after losing customers data 3 times in about 12 months, I don't trust them. Atame gnat jnows more about data security than TalkTalk. If giving them a free loan for a month is OK by you do nowt. After all with a £400,000 fine to pay TalkTalk needs your dosh. Alternatively ring TalkTalk and your Bank and cancel the payment as it doesn’t meet the Direct Debit Guarantee.

            I left but I'm still getting up to three scam calls a day from pople purporting to be TalkTalk as I didn't change my number and the scammers have my DOB.

          2. Anonymous Coward
            Anonymous Coward

            Re: But why...

            No captain scarlet I no they can't do nothing once your contract ends, I never said anything about that it's now atm if I left I would have to pay an exit fee so unless I pay that (which I don't intend do ) I'm stuck ..

  3. Maverick

    only my doctor, my employer. my Bank and HMRC has my correct date of birth (and I don't trust any of them not to lose it)

    why does an ISP need the correct DOB?

    there again my local council wanted my DOB in order that I could arrange collection of heavy electrical item (which they could recycle for profit) FFS

    1. JimmyPage Silver badge
      FAIL

      RE: why does an ISP need the correct DOB?

      "It's the system"

      1. frank ly

        Re: RE: why does an ISP need the correct DOB?

        I used to think they use it to cross check for identity with your bank for direct debits or with your CC company for CC debit authority.

        "Credit check"

        I spend more at Asda with my CC than I do with my ISP but they never ask for my DOB. Anyway, having done a credit check, why do they then feel the need to store it, insecurely?

        1. Anonymous Coward
          Anonymous Coward

          Re: RE: why does an ISP need the correct DOB?

          I spend more at Asda with my CC than I do with my ISP but they never ask for my DOB.

          I think you'll find that you did give your DOB to your credit card provider, and what's more they've got access to a whole lot more data on you than you think you provided.

      2. Anonymous Coward
        Anonymous Coward

        Re: RE: why does an ISP need the correct DOB?

        porn and torrent filtering and spying

    2. Anonymous Coward
      Anonymous Coward

      "why does an ISP need the correct DOB?"

      Credit Check.

  4. JimmyPage Silver badge
    Flame

    Where's that vomit-inducing CEO now ?

    Sorry, that £400K doesn't being to make up for having her smug, nauseating patronising lying face on our screens for weeks - usually at breakfast.

    1. Charlie Clark Silver badge

      Re: Where's that vomit-inducing CEO now ?

      If past form is anything to go by I'm sure we can see her in government or heading some gravy train. After all it's how daddy made his money.

      1. krivine

        Re: Where's that vomit-inducing CEO now ?

        See her in government? She helps pass legislation that lets this sort of thing go without any practical consequences.

        She's a Tory peer.

  5. Anonymous Coward
    Anonymous Coward

    The thing that puts me off moving to Andrews and Arnold ISP is that apparently Talk Talk is part of their backhaul.

    1. A Non e-mouse Silver badge

      The thing that puts me off moving to Andrews and Arnold ISP is that apparently Talk Talk is part of their backhaul.

      From the A&A Website:

      It is important not to confuse the carriers we are talking about here with retail offerings from other telcos. For example, BT Retail offer various broadband services, and whilst they use the same back-haul network, the services they offer depend very much on their business model and their equipment which is different to ours. So just because you have heard bad things about a particular retail offering does not mean their carrier / wholesale back-haul network is bad in some way. This is particularly important when considering issues such as shaping policies or censorship - the back-haul networks we use are transparently passing PPP packets between you and us and we bypass any such measures used in their retail offerings.

      Also, TT Backhaul is selectable, depending on the service you want from A&A.

  6. Andy Non Silver badge
    FAIL

    TalkTalk street hawkers

    One of their street hawkers collared me again this morning in the town centre.

    Him "Do you have broadband sir?"

    Me "Are you TalkTalk?"

    Him "Yes, for my sins."

    Me "I wouldn't join TalkTalk if you were the last ISP on the planet."

    Him "Why is that?"

    Me "Because you have a terrible reputation for customer service. You are wide open to hackers; and the person at the head of your company talks crap."

    Him "Oh." Looking somewhat sullen.

    Things must be bad, considering how many of these street hawkers they've got scattered around different town centres and street corners trying to pimp TalkTalk contracts.

    1. djstardust

      Re: TalkTalk street hawkers

      But of course they always end the chat with "have a nice day"

      So at least some of their drone training works.

      1. Anonymous Coward
        Anonymous Coward

        Re: TalkTalk street hawkers

        So at least some of their drone training works.

        I'm no bleeding heart liberal, but can we be a bit more polite about people doing crappy sales jobs than "drones"? I know as well as you do how irritating it is, but these people are simply earning a living, doing what they're told for money in a way that seems to be compliant with law.

        I've done some shitty jobs in my time, I'd guess you might have. We all do what we have to in order to get by. Calling somebody a "drone" because of the job they have is a bit insulting, surely.

        Now, if they're an out and out cunt, that's different, but that's generally unrelated to the job they do (insert lawyer jibes here).

        1. Anonymous Coward
          Anonymous Coward

          Re: Polite to drones

          We should be polite to drones because we are all drones, it's just easier to see in others than ourselves.

    2. Captain DaFt

      Re: TalkTalk street hawkers

      You really need to learn how to short out what little brains the hawkers have.

      -Him "Do you have broadband sir?"-

      Me: "Well that's damned personal from a complete stranger! Just because a someone's a bit overweight doesn't give you the right to harass them!" <stalk off indignantly>

  7. Fruit and Nutcase Silver badge

    No surrender

    Dido (Harding) should get the TalkTalk telephone system at hold music changed to "White Flag" by Dido (Armstrong), as she will no doubt, not fall on her sword

  8. clint1

    Definitely not a big enough fine for this totally incompetent company.

    I dumped them in February an as yet have never had a problem with my new ISP, Plusnet.

    1. Anonymous Coward
      Anonymous Coward

      Oh LOL, out of the frying pan, into the fire.

    2. Anonymous Coward
      Anonymous Coward

      Hi, client1 were you in a contract with them when you moved?

  9. Dwarf

    Not the first time

    Pity its only £400K. As 150K customer details were leaked. That puts the value of our personal details at £2.66 each which seems a little on the low side !!

    There is a trend here though. This time around it cost them 60 Million and 101K customers Other sites claim 200K customers walked.

    Previously in 2011 they were fined £3M fine for bogus billing - The Reg article from 2011

    I wonder if they will ever learn that its cheaper to do it right and that your customers will be more likely to stay around.

    Whats more worrying though is that they still claim 3.9 million customers.which means that only 10% of the customer base walked, so there are a heck of a lot of uninformed or thick skinned people out there who just accept low customer service as the norm.

    1. ArrZarr Silver badge

      Re: Not the first time

      thick skinned people out there who just accept low customer service as the norm.

      Obviously you've never dealt with Internet in Hull - you can have awful customer service at extortionate prices or you can not have Internet.

    2. John Brown (no body) Silver badge

      Re: Not the first time

      "Whats more worrying though is that they still claim 3.9 million customers.which means that only 10% of the customer base walked, so there are a heck of a lot of uninformed or thick skinned people out there who just accept low customer service as the norm."

      Attention spans. The last TalkTalk data breach made national news headlines. But most people have forgotten about it now. The average consumer, at best, will probably remember TalkTalk was all over the media a while ago and likely remembers the name but not why. It's all about brand awareness. Preferably with good connotations rather than bad, but time blunts that to simply "awareness" of the name. If they can manage to keep their noses clean for another 12 months (doubtful based on past performance) then they will likely be back where they started in terms of customer numbers.

  10. Rod 6

    As an ex-customer... should the CIO suffer some personal consequences? Like going to Jail.

    1. Anonymous Coward
      Anonymous Coward

      What law have they broken as an individual?

      1. John Brown (no body) Silver badge

        That's what the ongoing criminal investigation is all about. It's highly unlikely Baroness Dido will get any mud flung her way. Then again, she'd not be the first peer to end up in jail or disgraced. Mind you, they do seem to bounce back in most cases.

  11. JayBizzle
    WTF?

    Quote taken from BBC:

    TalkTalk said the fine was "disappointing" as it had "co-operated fully" with the investigation.

    "The TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves."

    This is the bit that really got on my nerves; we gave customers the best opportunity to fix the consequences from our mess. They did F' all to help customers and caused worry and stress. They then also caused a number of companies pain by having to replace bank cards, extra fraud checks, handle extra phone calls etc. who pays for that?

    Then Talk Talk is still disappointed in the fine? *Seething!* Total boycott of this company is required.

    So much rage about them giving zero fucks about their customers, I could rant about it this for a while.

    1. teebie

      For an 'open and honest'? reaction they said a lot that wasn't true, such as claiming the details were stolen in a DDOS attack, and that their security was in some way adequate.

      Although I concede that the Dunning–Kruger effect says they might be such shufflewits that this isn't technically lying.

  12. ShaunS

    As a TalkTalk customer who has received more than 60 of these scam technical virus phone calls in the past year, I am please to see TT get a fine.

    I would like to see fines set at the exact figure of the CEO salary and bonus for the year. This might send the message home to the board more effectively.

  13. Anonymous Coward
    Anonymous Coward

    Oh no.....management of some SMEs that are "not proactive" on updates and patches have slightly opened an eyelid when they heard "TalkTalk's security failures extended to ignorance that its database software – which was unspecified – was not only outdated, but in fact so old that it was no longer even supported by the provider.".

    The Watchdog should have said that they only got 400.000 becuase the loss of a million customers sufficed as evidence that customers recognize crap more easily than managers or boardmembers.

  14. Anonymous Coward
    Anonymous Coward

    Watchdog?

    More like a bow-wow

  15. Domquark

    Wouldn't Trust 'Em

    A customer of mine has Talk Talk. He had a very specific issue with Talk Talk TV, which was resolved with a phone call to the Indian-based help desk. 10 minutes later, he received a call from someone claiming to be from Talk Talk. As proof that he was who he claimed to be, the person described (in detail) my customers [previous] specific issue that he had had with his TV. You can probably guess the rest, turn on your PC, go to this website, let me take control etc. etc.

    Needless to say, when I got there it took me an hour to remove all the rootkits/malware that the "Talk Talk Representative" had installed.

    Of course the question is, how did the second (dodgy) rep know about the first phone call? They must have been in the same call centre, with reps giving the details of customers to the dodgy ones. So, if you ever wonder how they get your details, that's how... After all, how can the supplier (Talk Talk) properly regulate the quality and privacy of a service that they buy from a third party 10,000 miles away?

  16. Anonymous Coward
    Anonymous Coward

    Yep still cheaper to ignore security.

    Until companies, and most importantly their investors, lose everything security will never get the attention it needs. We found that out with worker rights, environment and other issues.

    Even with the protections we put in place companies still kill workers unnecessarily, dump waste into the environment and defraud customers because sometimes it's pays.

  17. Matrix999

    Why aren't I surprised

    Talk Talk can not do anything right. In my opinion and from what I have read in various magazines I subscribe to which are all computer related, Talk Talk always have a exceedingly large volume of complaints from Ofcom. We were with Tascali before Talk Talk took over and immediately I anticipated problems. I was right. First there was an issue with a bill which we paid which they confirmed they received and we even provided evidence. We were told "Yep, all resolved, we can see you paid". Weeks later a letter in the post asking for the money. It dragged on for months. My partner was in tears because it was her account. Every time we rang their system was either down or they did not know the latest update so we got harassed. They did not appear to be working from a central database system so if we spoke to another person they would be clueless about what the update was. Another thing I read is when customers cancel, they still get billed. After our horrible experience we canceled and sure enough, we got a bill. It was an absolute nightmare! I am now with with another ISP.

    Back to the issue with stolen personal details. Apparently the maximum fine is £500k. Talk Talk got fined £400k.The worse thing about this is Talk Talk did not inform their customers until a year + later! I read it was more people impacted than what people are saying. Let's just say I would not go back to Talk Talk if they offered me their services for free. In the UK they need to be more strict though when it comes to laws/

    I would no go back to using Talk Talk if they offered their service for free. Everything about them is true. They are one of the worse companies in the UK when it comes to service. It was a lovely Scottish woman that helped us at the end and managed to update our details so we were no longer hassled but our issue should have been resolved immediately. Do yourself a favour and stay clear. If you do not have any complaints I am assuming it is because you have never had to contact their support so count yourself lucky!

    Talk Talk promote X Factor so they can attract youngsters to sign up. Horrible company.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like