The Information Commissioner's Office (ICO) has fined TalkTalk a record £400,000 for a massive data breach last year. Lawyers said that the ICO's decision to issue such a high penalty marked a clear step up in the intensity of enforcement action.
The fine was levied for serious contraventions of TalkTalk's security obligations as a data controller under the Data Protection Act 1998. The ICO found that the company's minimal level of protection and outdated software meant that the database could be easily hacked and that the company should have identified this, particularly as software was available for three years to fix such vulnerabilitiies. The fact that the data available was personal data on individuals which could make them susceptible to fraud was a factor also taken into account.