TalkTalk customers could take legal action following cyber attack
TalkTalk could face millions of legal claims by customers whose personal data was compromised in an attack on its website, according to a data protection expert.
The TV, broadband and phone provider confirmed this morning that a criminal investigation was underway following a “significant and sustained” cyber attack.
The company said there was a risk that customer data – including bank details – had been accessed, but that it was too early to tell how many of its four million customers had been affected.
Jon Baines, chairman of the National Association of Data Protection Officers, said there was the potential for legal claims by customers under the Data Protection Act (1998).
"The DPA allows an individual to claim for damages and distress compensation caused by contraventions of the Act," he told Cable.co.uk.
"On an individual basis such claims would not normally be particularly expensive, but if thousands of claims were to be successful the liability could be huge, especially if group litigation was pursued."
Mr Baines said the Information Commissioner's Office (ICO) also has the power to impose a financial penalty of up to £500,000 for serious contraventions of the DPA.
"The DPA requires organisation to have appropriate safeguards in place to protect customer data, having regard to the state of technological developments, and resources available," he said.
"As far back as 2008 the ICO took enforcement action against TalkTalk because of its poor DPA compliance, and required steps to be taken to protect customer data – the question now for the ICO will be, did TalkTalk take those steps, and if so, why has this incident now happened?"
TalkTalk said it is working with the Metropolitan Police and cyber crime specialists to establish exactly what happened and what information was compromised.
It also said the customer data that could have been accessed includes names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account information, credit card details and bank details.
In a statement on its website, TalkTalk admitted that not all of the data on its website was encrypted, adding: "We constantly review and update our systems to make sure they are as secure as possible.
"We believed our systems were as secure as they could be. We work with world leading security experts and update our systems constantly.
"As soon as we realised the website was under attack, we pulled the website down in an effort to protect data. As a further precautionary measure, we contacted our customers straight away to warn them of the potential risk and provide advice on what to do.
"Unfortunately these criminals are very smart and their attacks are becoming ever more sophisticated."
TalkTalk CEO Dido Harding, who is reported to have received a ransom note from a group purporting to be behind the attack, said: “TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations.
“We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.
“As a precaution, we are contacting all our customers straight away with information, support and advice around yesterday’s attack.”
The Metropolitan Police's Cyber Crime Unit confirmed in a statement that it is investigating "an allegation of data theft from a telecommunications website".
“The theft was reported to the Met on Wednesday 21 October. There have been no arrests and enquiries are ongoing," it said.
“We are aware of speculation regarding alleged perpetrators; this investigation remains at an early stage; a full assessment of the alleged data theft is ongoing.”
A spokesperson for the Information Commissioner's Office said: "The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the police.
"Any time personal data is lost there can be a risk of identity theft. There are measures you can take to guard against identity theft, for instance being vigilant around items on your credit card statements or checking your credit ratings."
The cyber attack isn’t the first to have hit TalkTalk this year. Scammers targeted the company in February, stealing account numbers and names from its customer database.
TalkTalk said at the time it had taken “serious steps” – including working with an external security company – to remedy the situation and protect itself against further attacks.
It also advised customers to be wary of phone calls from people claiming to be calling from TalkTalk.
But a number of customers were tricked into handing over their bank details or installing software that would make their computers vulnerable to attack.
One victim was 74-year-old Julie Norton, who was scammed out of nearly £3,000 after the information theft.
Mrs Norton was duped into handing over her savings during a phone call from a woman who claimed to be from the provider.
Additional reporting by Ellen Branagh.
Why do we need your postcode?
Once you enter your postcode, Cable.co.uk will perform a live lookup and check all the available providers in your area.
This ensures you receive accurate information on the availability of providers and packages in your area.
Your information is safe with us. We won't share your postcode with anyone. Guaranteed.