One of the most significant questions to have arisen from the hack suffered by TalkTalkis why customers' data stored in the company's databases wasn't encrypted.
It may seem like hubris to many that Dido Harding, TalkTalk's CEO, told The Sunday Times sensitive personally identifiableinformation, including bank account numbers, sort codes and full names, were stored unencrypted because there is no legal obligation to do so.
"We have complied with all our legal obligations in terms of storing of financial information," she claimed.
But is she right - did TalkTalk fulfil its legal obligations even though it didn't encrypt this data?
The answer is, yes and no.
A spokesperson for the Information Commissioner's Office (ICO) toldIT Pro: "All organisations must have appropriate security measures in place to prevent the personal data they hold being accidentally or deliberately compromised. Any measures put in place should prevent security breaches or limit the damage if they do occur.
"As one single product cannot guarantee security, we would advise a combination of different tools and techniques. Encryption is just one way of doing this."
However, Mahisha Rupan a senior associate at law firm Kemp Little toldIT Pro: "If TalkTalk was not encrypting its customers' data, which is a fairly standard security technique, TalkTalk will need to show that it utilised other technology to secure and protect the data in a way that would otherwise fulfil its legal obligations."
The matter is now in the hands of the ICO, which will determine if TalkTalk did indeed comply with its legal obligations even though it didn't use encryption, and if the company is found to have failed in its duties, the ICO is able to fine the telco up to 500,000.
Affected customers also have recourse to independent legal action, should they wish.
"As an alternative to enforcement through the Information Commissioner's Office, customers may apply to directly to the courts to enforce their rights under the Data Protection Act 1998 in certain circumstances. Compensation to individuals can only be awarded by the courts and not by the Information Commissioner's Officer," explained Rupan.
However, she cautioned that "So far, very few claims for compensation have been made by individuals and, where they have, the awards have been low."
If you are worried you have been affected by the TalkTalk hack, get advice on what to do next here.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AINews Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
-
Microsoft: get used to working with AI-powered "digital colleagues"News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
-
“It’s the legacy that gets you”, warns ex-TalkTalk bossNews Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach
-
ICO fines TalkTalk £100k for data breachNews Data watchdog found that the company failed to use adequate safeguards
-
TalkTalk hack: Two men plead guilty to TalkTalk hack
News Tamworth pair admit to offences under the Computer Misuse act
-
New Mirai variant 'hijacked TalkTalk routers for botnet'News 99% of the botnet routers belong to TalkTalk, says Imperva
-
Data breaches 'have destroyed customers' trust in companies'News In the aftermath of TalkTalk and Ashley Madison hacks, people are less likely to give firms their data
-
Why security sucked in 2015, and how to improve in 2016Opinion Key security lessons to learn to protect your business in the New Year
-
Hackers steal nearly 2,000 Vodafone customer accountsNews Mobile operator blocks compromised accounts, urges customers to change passwords
-
Making technical sense of the TalkTalk storyIn-depth Does TalkTalk deserve to be pilloried for this latest data breach?
