back to article TalkTalk's appeal against paltry ICO data breach fine thrown out

TalkTalk has lost its appeal against the Information Commissioner's Office decision to fine the company £1,000 for a data breach last year. The ICO imposed a monetary penalty on TalkTalk for its failure to notify the Commissioner of a personal data breach within 24 hours after its detection, in circumstances it considered were …

  1. tiggity Silver badge

    Not fit for purpose

    1 grand fine - what's the point? Should have been serious money

    Typical Talk Talk appealing even that paltry amount

    1. AndyS

      Re: Not fit for purpose

      The point is to make a point, that they were in breach.

      The point of appealing was to try and reverse that point.

      The fact that the actual amount of money is basically meaningless proves that this is about making quite important points, not about the money.

      Talk talk may be pretty awful, but their behaviour in appealing this is perfectly logical.

      1. John Brown (no body) Silver badge

        Re: Not fit for purpose

        "Talk talk may be pretty awful, but their behaviour in appealing this is perfectly logical."

        It's only a logical course if action of their lawyer can point to something in the law which s/he thinks might prove the case in their favour. This was pretty cut and dried. The breach, by definition, had already happened and it should not have. It was clearly their fault for not doing a proper security audit. Even if they had paid for an external security consultant to do the audit and s/he was incompetent, that's still TalkTalks fault. The buck has to stop somewhere. They could, of course, then go on to sue an external agent if they thought they got a bum deal from said agent

  2. paulf Silver badge
    Mushroom

    Seriously?

    They went to all the hassle of lawyering up to contest a £1000 fine? Considering the costs incurred by the ICO in defending their decision against the appeal I'd have considered a min 100x increase to be appropriate punishment for such an egregious appeal.

    I accept they may have been trying to reverse the conviction rather than the nominal amount of the fine but if Dido's contrite wailings* had any credence they would have paid up, written off the £1k to experience, booked a gain from having deprived the lawyers of their hundreds of billable hours (or even spent the savings on some proper IT security bods) and moved the fuck on.

    *Yes, I know. During that performance I was half expecting a caption to flash up, "Members of the Academy: Vote now!"

    1. Smooth Newt
      Thumb Up

      Re: Seriously?

      They probably appealed as part of their strategy for "maintaining their corporate reputation". They have, of course, succeeded.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seriously?

      They went to all the hassle of lawyering up to contest a £1000 fine?

      In this case that's the biggest fine the ICO can offer for late notification. However, as a general rule, the fines (or "monetary penalties") that UK regulators impose are decided by a range of factors, including a particular consideration of the track record of offenders. If TT can get out of the £1k fine, it will have a bearing on future penalties for next time they screw up. With the ICO only handing out a theoretical maximum £500k fine for major breaches that still doesn't matter. But under the EU GDPR fines could be very serious from May 2018, and that's probably what is being played for here.

      The Remainderers will weep and gnash their teeth and say that Brexit means we won't have any protection under GDPR because it probably won't be enforced during the leaving period. In strict terms that's not proven, but even if that is the case I would suggest that the UK government will not wish to have the weakest data protection regime in the developed world (and a system that prevents data transfer from the EU), so a UK act of similar standards is a near certainty.

      So for TalkTalk, appealing the penalty makes economic sense, since even the smallest chance of success is worth hoping for.

    3. Alan Brown Silver badge

      Re: Seriously?

      "They went to all the hassle of lawyering up to contest a £1000 fine?"

      The fine is from the ICO.

      The consequent exposure to private legal action is virtually unlimited and the ICO fine makes it uncontestable as the court will see it as proof that they were deficient under the act.

  3. Destroy All Monsters Silver badge
    Windows

    One hour of CEO's billable time

    Industrial production of bespoke bullshit and spin: Amazingly still pretty expensive in 2016.

    One would think the price would have dropped precipitously in the last 20 years or so.

    Where, oh where can I get my Cheap Bullshit Fix??

    1. Anonymous Coward
      Anonymous Coward

      Re: One hour of CEO's billable time

      "Where, oh where can I get my Cheap Bullshit Fix??"

      Anywhere in the US, In the run up to November 8.

      Our version ran until June .. oh, although there's a smaller version going on at the moment ..

      1. Alan Brown Silver badge

        Re: One hour of CEO's billable time

        "Anywhere in the US, In the run up to November 8."

        This is a special kind of bullshit, which unlike the normal kind, kills vegetation.

  4. This post has been deleted by its author

  5. circusmole

    Just another example...

    ...of the strange bubble/parallel universe that ego-centric Dido and her mates live in. If she spent as much time and effort sorting out TalkTalk's security issues... but that's part of her paid job, so no chance of that getting done.

  6. Anonymous Coward
    Anonymous Coward

    as long as precedent set of £1000 fine per individual whose data are compromised, and as long as that passes on to every other breach by TalkTalk, then this isn't a bad start for punitive element. Provided, of course, there's also compensation to the individuals concerned, of at least twice the amount put at risk in each case.

    1. My-Handle

      That's kind of what gets me in these situations. A company like TalkTalk messes up and spills millions of their customers' personal data across the net. Regardless of whether the company get fined or not for their lack of security, those who are actually hurt by the company's negligence don't see a penny of it. Instead, whenever the victim of a data breach is subsequently the subject of bank / identity fraud, they are usually blamed for having poor security / bad passwords.

      A combination of stiffer fines and enforced refunds are definitely in order, I feel.

      1. heyrick Silver badge
        WTF?

        "A combination of stiffer fines and enforced refunds are definitely in order, I feel."

        ...and the CEO given a box, five minutes, then escorted from the premises with all contacts terminated.

        And rather than complaining she should feel lucky she wasn't given a sword and an empty patch of floor space.

        Because until the fucking management feels hurt in these situations, they will continue, as will the idiotic fines.

        1. John McCallum

          unfortunately it will not be a top tier manager but some poor sod much lower down in the pecking order.

      2. Alan Brown Silver badge

        " those who are actually hurt by the company's negligence don't see a penny of it."

        Only because they've chosen not to take private legal action.

        The ICO fines are for cocking up. Any payments to those affected are contingent on private action being taken by those affected people.

  7. adam payne Silver badge

    "TalkTalk has lost its appeal against the Information Commissioner's Office decision to fine the company £1,000 for a data breach last year."

    I should hope they did lose their appeal. The only appeal Talk Talk need to make is an appeal for forgiveness from all the people affected by their lacklustre security.

    The handling of these hacks and breaches by Talk Talk has been appalling. Talk Talk won't be able to restore their reputation by appealing fines for data breaches.

    1. VulcanV5

      Re: TalkTalk's appeal against etc etc

      "Talk Talk won't be able to restore their reputation by appealing fines for data breaches." You being serious? At this stage in its life cycle,TalkTalk doesn't give a bugger about "reputation". All it cares about is fishing the moron pool to exhaustion. When there's a final irreversible decline in the number of morons signing up for its services, then and only then will it think about 'reputation' -- as in, how much value might be attached to the TalkTalk name, now that the business is up for sale. . .

  8. Anonymous Coward
    Anonymous Coward

    recently, a flyer from Talk-Talk landed on my doormat..

    i tore it up and put it in the recycling bin

    i now want a million upvotes.

  9. TWB

    I voted with my feet

    I enjoyed filling out the 'why did you leave' questionnaire though I suspect TT will not act on what really matters.

  10. Paul

    I can imagine that there was a bug in TalkTalk's bug tracker along the lines of "under specific circumstances a customer might see another's data" which was marked down in priority over adding a specific new feature like "add another advert on the page for TalkTalk's products".

    I can also imagine that the developers probably shouted out this needed to be investigated and fixed, and requested more hardware and QA/testing staff to work on it, and they were told that giving Dido and other directors a bigger bonus and a new car was more important.

    And I can imagine that when the bug went public, the developers would have been berated for not fixing it.

  11. Anonymous Coward
    Anonymous Coward

    Don't worry - TalkTalk customers will be paying the fine.

    More importantly, why isn't anyone asking the obvious:

    "How come TalkTalk still has any customers?".

  12. Dave 15

    Is she worth that much?

    The people that do the REAL work of the company are paid the same in a year as she is in day or two... really, is ANYONE worth that much more than the rest of their workforce? I am not really a communist but to be honest there must be limits surely there are?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is she worth that much?

      Of course she is.

      In the circumstances, your annual Capitalism training course has been brought forward to September to clarify your uncertainty on this fundamental premise of our society.

      War is peace. Freedom is slavery. Ignorance is strength.

      Resistance is futile.

  13. Zap

    Every week on BBC consumer shows there are victims of TalkTalk Hack and the TalkTalk data sale (when IT company in Inida it appointed had employee that sold data).

    One lady lost £7000,

    How about a fine of £1000 per person whose data was stolen, they were saying it was arounf 159,000 customers but I suspect it is in the millions, how could they even know.

    Companies of such a size can take precautions to prevent a hack and THERE IS NO EXCUSE for and IT aware company like TalkTalk to have allowed themselves to be hacked.

    Never minds selling off BT wholesale (which TalkTalk are always pushing for) how about we sell off TT biz ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019