ICO says TalkTalk customers need to get themselves a lawyer

A Parliamentary inquiry into the TalkTalk security breach heard the Information Commissioner, Christopher Graham, stress that aggrieved TalkTalk customers should lawyer up.

People expecting his office to sort out reparations for them should instead take their complaints directly to the telco, the hearing heard.

The "TalkTalk Inquiry" was launched in November, after hackers ransacked the ISP's systems in October. The panel heard from the telco's CEO, Dido Harding, in December.

Graham said the Information Commissioner's Office (ICO) had six investigations underway into TalkTalk, three of which were "fairly minor". The Information Commissioner said "the three major ones are the 2015 incident, and two earlier incidents, one involving TalkTalk in its own right, the other is Carphone Warehouse."

He refused to discuss details for fear of "compromising the investigations".

Graham elusively acknowledged that "an international dimension" to the attacks meant that the investigations were not able to be completed swiftly, and offered no promise that the investigation into the 2015 "hack" would be completed in the 2016 calendar year.

Increasingly Sophisticated

In a more concrete rejection of Dido Harding's claims following the breach, both Graham and Dr Rice – the technical lead for the ICO – stated that you didn't have to be a sophisticated hacker to break into systems these days: plenty of software vulnerabilities make people's personal information all too accessible.

There are videos on YouTube in which security experts are showing their three-year-old daughters how to implement SQL injections, the two claimed, as well as a host of automated tools allowing skiddies (script kiddies) entry into the world of cyber-crime.

Rice added that "specific attack vectors are still being investigated" in regards to the TalkTalk incident. Graham, perhaps jokingly, stated that "the threat from three-year-old children must not be taken lightly."

He added: "We can't emphasise enough, if it's so easy for some teenager with nothing better to do in an upstairs bedroom, then it should be easy for companies to defend against."

Graham turned down the idea of companies being liable for data breaches in the face of hackers, but noted that there had previously been three fines for firms hit by SQL injections.

Rice added that the three previous penalties in these instances recognised that fixing these vulnerabilities was all in the power of the web developers, and suggested that the fault lay with them in creating the vulnerability.

Look at a lawyer, not at me

When the committee raised the issue of TalkTalk's recalcitrance in allowing customers to leave – especially in regards to its prohibitive standards of proving the telco was responsible for any monetary loss suffered by breach victims – Graham said it was not his role to represent individual consumers.

"Individual customers will draw their own conclusions from our investigation," said the commissioner, "and may well want to talk to their lawyers."

His advice was paraphrased by the committee as: "Don't rely on fines, if you're a TalkTalk customer, walk," though the commissioner seemed to demur on this, stating that it wasn't his mandate to involve himself with public policy or contract law issues. ®