The ICO Takes a Stand on Data Protection Enforcement
The ICO Takes a Stand on Data Protection Enforcement

The UK Information Commissioner’s Office (ICO) just issued a record fine to UK telecom company TalkTalk in connection with an October 2015 data breach. The £400,000 fine was issued after an in-depth investigation found that the cyber attack could have been prevented with “basic steps,” and such negligence resulted in cybercriminals gaining access to customer data “with ease.”

What were the “basic steps” revealed in the investigation?  These included a failure to scan some of their infrastructure for possible threats and the use of outdated database software. In addition, there were two prior SQL injection attacks that exploited the same vulnerabilities, which should have alerted TalkTalk to the issue.

“The attacker used a common technique known as SQL injection to access the data. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data, the ICO investigation found.”

TalkTalk has already spent in excess of £35million in remediation and lost revenue costs. The ICO has added to this another £1,000 penalty fine as TalkTalk failed to notify the Commissioner’s Office within 24 hours of becoming aware a data breach had occurred. Records show that the ICO was only notififed after TalkTalk had concluded their in-house investigation. Both fines serve to underscore the hard line that the ICO has drawn when it comes to data security enforcement.

The regulatory environment is more complex than ever before, both in the US and abroad. Compliance requirements from various government levels and enforcement actions by industry regulators make it more difficult than ever to keep on top of data protection requirements and breach notification requirements. The implications of the EU General Data Protection Regulation (GDPR) should also be top of mind for global organizations.

The ICO & Future Fines Under the GDPR

Absolute’s data regulation advisor and lawyer at Cordery, Jonathan Armstrong recently spoke with the ICO’s Iain Bourne about the current state of data protection in the UK and Europe. Get a preview of his discussion below, which includes information about how the ICO will assess higher fines under the GDPR.

With Absolute Data & Device Security (DDS), organizations can regain control over the endpoint and the data contained therein, even if held in cloud storage applications. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. Learn more at


Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.