Under the new proposed GDPR regulations which are due to take affect in 2018 the fine imposed would have been far worse.
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, comments:
“I am pleased the ICO is taking this particular loss very seriously and believe that the amount is appropriate in the circumstances. Some people may think £400,000 is high, but let’s remember it is only £2.50 per impacted customer.
“However, the real loss to TalkTalk is far greater. It had a stock price drop of 11 percent, claimed to have lost 101,000 customers and had a revenue reduction of £80M in the quarter after the attacks. In addition, the name TalkTalk will forever be linked to this and its other data loss incidents.
“The lesson to other organisations is crystal clear – data is the crown jewels of your business; treat it with the utmost respect, secure it in every way possible both from malicious actors and inadvertent loss or misuse by employees and subcontractors. You are responsible to your employees, customers and suppliers to keep their data safe from the second it is collected.”
Gunter Ollmann, CSO at Vectra Networks added, “The severity of the hack attack on TalkTalk, had it happened two years from now, could have triggered even more punitive fines from the EU. Under the forthcoming EU General Data Protection Regulation (GDPR), the fines could have been much higher – up to four per cent of worldwide turnover. In the case of TalkTalk, that could have been £72 million based on 2015 turnover. In that respect, the company has got off lightly.”