Talk Talk Fine Shows ICO 'Hung Up' on Data Security

7th October 2016 Commercial

Regular readers of this 'blog will no doubt be familiar with the fact that data security is a topic of acute concern. It is also an increasingly frequent aspect of the work which I do.

I am dismayed, therefore, but not completely surprised by increasingly regular media reports of organisations' failings being exposed.

The latest is the telecoms company, Talk Talk. Last October, hackers were able to access the accounts of 157,000 of the company's customers, stealing data which included payment details, addresses and telephone numbers.

Having already underlined her commitment to treat data breaches with seriousness as she took her post as Information Commissioner in July, Elizabeth Denham has now followed up by handing Talk Talk a record £400,000 fine: (

The firm has put the cost of the hack at £60 million with more than 100,000 individuals taking their custom to rival businesses in the months that followed. In Talk Talk's words they have seen high customer 'churn', corporate speak for people voting with their feet.

There is also an ongoing criminal investigation into the breach and, I would suggest, the very real prospect of legal action by those whose private and personal information was taken. However, in trying to put the best possible gloss on its own predicament, Talk Talk has made clear just how severe a threat data privacy is for the majority of organisations.

Its response quoted 'Government data [which] showed nine in ten large UK businesses were successfully breached' in the last year.

We should not lose sight of the fact that these are not mere statistics but large numbers of people who entrust confidential information to corporations and, despite being innocent of any wrongdoing whatsoever, suffer as a result, something I am only too well aware of.

For example, I am currently acting on behalf of several thousand past and present employees of the retailer Morrisons whose data was stolen by a former colleague later jailed for the crime (

I also represent individuals whose details were misused in a security breach at the management software company Sage.

In addition, this summer I secured a £5,000 settlement for a woman whose details were released by Greater Manchester Police without her consent (

These sorts of incidents are far from the only cases that myself and the team at JMW are dealing with.

Indeed, instead of being as 'diligent and vigilant' as the Information Commissioner has described and required, some organisations only seem to step up data security when confronted with the prospect of regulatory penalties and legal action.

It would be nice to imagine that the record fine imposed on Talk Talk would be a watershed with customers and staff of all organisations experiencing no problems hereafter. Sadly, I believe that it is far from being the last such sanction.

To discuss the Talk Talk data leak with the team at JMW and myself please do not hesitate to contact the team.

We're Social

Nick McAleenan is a Partner located in Manchester in our Media & Reputation Management; Data Protection & Privacy department

View other posts by Nick McAleenan

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest