TalkTalk Data Breach
Published: 29/10/2015
Following the news that TalkTalk suffered a severe customer data breach, it is understood that personal information including bank account details have been leaked to cybercriminals and many customers have fallen victim to having their bank accounts emptied or money taken without consent. TalkTalk has admitted that it had not encrypted customer data, but also noted that it was not legally obliged to do so. Where does this leave TalkTalk’s 4 million customers who have suffered loss or may still be at potential risk of loss?
Prevent or minimise your chance of loss
- Change your account password as soon as possible. If you have used the same password anywhere else, change the passwords for all those other services.
- Watch your bank statements closely and do not keep all money in your current account, just enough to cover expenses/bills for the next 30 days or whatever time period works for you. Report any unusual activity on your accounts to your bank and the UK's national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk
- Be wary of any phone calls purporting to be from your Bank or service provider (eg. Utilities, Phone/TV/Broadband etc.) and do not disclose any personal information unless you are satisfied that the caller is a genuine representative from the relevant company. You have a right to request additional identification from a self-proclaimed representative. Alternatively, you may choose to terminate the call and call the Company back on a trusted number you may have on the back of an invoice or statement.
Claims for compensation
It is not yet clear whether or not TalkTalk was in breach of the Data Protection Act 1998. TalkTalk maintains its stance that, even though it did not encrypt personal data, it was not in breach of the Act because it was a criminal attack. However, the seventh principle of the Data Protection Act states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” There is therefore an argument that sensitive customer data should have been encrypted and therefore useless to cybercriminals in the event of a data hack. the Information Commissioner’s Office will decide TalkTalk’s fate in due course.
If the Information Commissioner’s Office determines that TalkTalk did breach the Data Protection Act, any customers who suffered loss by having their bank account emptied will have the right to claim compensation from TalkTalk.
Move provider penalty free
If you purchased the service within the last 30 days, under the Consumer Rights Act you have the right to reject the service and in most cases get a full refund.
In the wake of the data breach, TalkTalk said that its normal terms and conditions applied. However, on Monday 26 October, its website was updated to say that "in the unlikely event that money is stolen from a customer's bank account as a direct result of the cyber-attack (rather than as a result of any other information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees”. In order to be eligible for consideration to leave without an early termination fee, you must meet the following criteria:
- You must have had money taken from your account without your authorisation
- The money must have been taken on or after Wednesday 21 October 2015
- You must have contacted Action Fraud (details above) to obtain a Crime Reference Number
Content correct at time of publication