Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

ICO says TalkTalk customers need to get themselves a lawyer

'The threat from 3-year-old children must not be taken lightly' says info commish

A Parliamentary inquiry into the TalkTalk security breach heard the Information Commissioner, Christopher Graham, stress that aggrieved TalkTalk customers should lawyer up.

People expecting his office to sort out reparations for them should instead take their complaints directly to the telco, the hearing heard.

The "TalkTalk Inquiry" was launched in November, after hackers ransacked the ISP's systems in October. The panel heard from the telco's CEO, Dido Harding, in December.

Graham said the Information Commissioner's Office (ICO) had six investigations underway into TalkTalk, three of which were "fairly minor". The Information Commissioner said "the three major ones are the 2015 incident, and two earlier incidents, one involving TalkTalk in its own right, the other is Carphone Warehouse."

He refused to discuss details for fear of "compromising the investigations".

Graham elusively acknowledged that "an international dimension" to the attacks meant that the investigations were not able to be completed swiftly, and offered no promise that the investigation into the 2015 "hack" would be completed in the 2016 calendar year.

TalkTalk timeline

2015: Hack
2014: Breach
2015: Carphone Warehouse

Increasingly Sophisticated

In a more concrete rejection of Dido Harding's claims following the breach, both Graham and Dr Rice – the technical lead for the ICO – stated that you didn't have to be a sophisticated hacker to break into systems these days: plenty of software vulnerabilities make people's personal information all too accessible.

There are videos on YouTube in which security experts are showing their three-year-old daughters how to implement SQL injections, the two claimed, as well as a host of automated tools allowing skiddies (script kiddies) entry into the world of cyber-crime.

Rice added that "specific attack vectors are still being investigated" in regards to the TalkTalk incident. Graham, perhaps jokingly, stated that "the threat from three-year-old children must not be taken lightly."

He added: "We can't emphasise enough, if it's so easy for some teenager with nothing better to do in an upstairs bedroom, then it should be easy for companies to defend against."

Graham turned down the idea of companies being liable for data breaches in the face of hackers, but noted that there had previously been three fines for firms hit by SQL injections.

Rice added that the three previous penalties in these instances recognised that fixing these vulnerabilities was all in the power of the web developers, and suggested that the fault lay with them in creating the vulnerability.

Look at a lawyer, not at me

When the committee raised the issue of TalkTalk's recalcitrance in allowing customers to leave – especially in regards to its prohibitive standards of proving the telco was responsible for any monetary loss suffered by breach victims – Graham said it was not his role to represent individual consumers.

"Individual customers will draw their own conclusions from our investigation," said the commissioner, "and may well want to talk to their lawyers."

His advice was paraphrased by the committee as: "Don't rely on fines, if you're a TalkTalk customer, walk," though the commissioner seemed to demur on this, stating that it wasn't his mandate to involve himself with public policy or contract law issues. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like