IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
Analysis

TalkTalk hack: should the company have encrypted customer data?

TalkTalk's CEO has said the company didn't encrypt all its customer data because it wasn't obliged to. Is she right?

Locks on a screen with one open and in red

One of the most significant questions to have arisen from the hack suffered by TalkTalkis why customers' data stored in the company's databases wasn't encrypted.

It may seem like hubris to many that Dido Harding, TalkTalk's CEO, told The Sunday Times sensitive personally identifiableinformation, including bank account numbers, sort codes and full names, were stored unencrypted because there is no legal obligation to do so.

"We have complied with all our legal obligations in terms of storing of financial information," she claimed.

But is she right - did TalkTalk fulfil its legal obligations even though it didn't encrypt this data?

The answer is, yes and no.

A spokesperson for the Information Commissioner's Office (ICO) toldIT Pro: "All organisations must have appropriate security measures in place to prevent the personal data they hold being accidentally or deliberately compromised. Any measures put in place should prevent security breaches or limit the damage if they do occur.

"As one single product cannot guarantee security, we would advise a combination of different tools and techniques. Encryption is just one way of doing this."

However, Mahisha Rupan a senior associate at law firm Kemp Little toldIT Pro: "If TalkTalk was not encrypting its customers' data, which is a fairly standard security technique, TalkTalk will need to show that it utilised other technology to secure and protect the data in a way that would otherwise fulfil its legal obligations."

The matter is now in the hands of the ICO, which will determine if TalkTalk did indeed comply with its legal obligations even though it didn't use encryption, and if the company is found to have failed in its duties, the ICO is able to fine the telco up to 500,000.

Affected customers also have recourse to independent legal action, should they wish.

"As an alternative to enforcement through the Information Commissioner's Office, customers may apply to directly to the courts to enforce their rights under the Data Protection Act 1998 in certain circumstances. Compensation to individuals can only be awarded by the courts and not by the Information Commissioner's Officer," explained Rupan.

However, she cautioned that "So far, very few claims for compensation have been made by individuals and, where they have, the awards have been low."

If you are worried you have been affected by the TalkTalk hack, get advice on what to do next here.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Ransomware activity down 11% worldwide in Q3, but rise expected
ransomware

Ransomware activity down 11% worldwide in Q3, but rise expected

20 Oct 2022
Undetectable PowerShell backdoor discovered hiding as Windows update
vulnerability

Undetectable PowerShell backdoor discovered hiding as Windows update

19 Oct 2022
Escape the ransomware maze
Whitepaper

Escape the ransomware maze

23 Aug 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022