TalkTalk hit with record fine for data breach

TalkTalk has been handed a record fine for failing to prevent a cyber attack on its website last year.

The mobile carrier was ordered to pay £400,000 by the Information Commissioner's Office (ICO) after the personal details of more than 150,000 customers was stolen in October 2015. The office has the power to hand down fines of up to £500,000, says the BBC.

It is the largest fine ever imposed by the ICO, which said TalkTalk's security was so poor the attack had succeeded "with ease".

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Information commissioner Elizabeth Denham said: "Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations."

The ICO also noted that in 16,000 cases, customer's bank details were stolen. When the attack was first disclosed, TalkTalk warned the financial information of all of its four million customers could have been taken.

The attack cost TalkTalk more than £42m, said the company in May, with this figure set to rise to more than £60m once additional spending on security is taken into account.

TalkTalk also revealed that chief executive Dido Harding's salary had soared almost three-fold to £2.8bn for the last year. This was mostly due to a long-term incentive scheme, however, and her bonus for the past 12 months was halved to £220,000 – which she donated to charity.

The company said that more than 180,000 subscribers had taken their business elsewhere after the hack but it was recovering in the final months of its financial year and had added 148,000 new customers.

A police investigation is ongoing and six people, all under the age of 21, have been arrested.

TalkTalk pay measures prompt calls for cyber hacking fines

27 June

Last year telecoms firm TalkTalk was hacked. Criminals stole the bank account numbers, addresses, dates of birth and contact details of over 150,000 customers. The hack directly cost the company £42m, hit shareholders to the tune of £60m and prompted 100,000 customers to leave.

Despite all of that TalkTalk’s CEO Dido Harding took home £2.8m last year. Now MPs are calling for the bosses of companies that are hacked to be fined. Is that fair?

What happened at TalkTalk?

Last week TalkTalk announced that Baroness Harding’s bonus was being slashed by more than a third to £220,000 as a result of the firm’s security failings. Harding subsequently announced that she would donate the rest of the bonus to charity – Ambitious for Autism.

“It’s not often that company’s pay committees get praised, but TalkTalk’s deserve some credit today,” says Jim Armitage in The Standard.

“Despite the damage reaped by the cyber attack Harding would have been within her rights to claim a £341,000 bonus under the performance criteria in her contract. However, the committee used its discretion arbitrarily to dock £121,000 off the figure. Stripping a chunk off this year’s bonus is a good start, and giving what remained of it to charity adds to the common sense.”

“Dido, Queen of Cartharge, expressed anguish by building a pyre and jumping on it,” says Jonathan Guthrie in the Financial Times. “Her namesake Dido Harding has made a more modest bonfire of her £220,000 bonus.”

What do MPs want?

An inquiry into the cyber attack on TalkTalk by the Culture Media and Sport Select Committee has suggested that chief executives who fail to prevent cyber security breaches should have their pay docked.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” Jesse Norman MP, chairman of the culture committee told The Telegraph.

“Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Is that the right approach?

The data breach at TalkTalk came after a sustained period where the firm failed “to learn form repeated breaches of different kinds,” says Amie Gordon in the Daily Mail.

But, cyber crimes are a constantly evolving threat that many companies are struggling to keep up with. The focus needs to be on educating bosses to understand cyber security better, according to Lady Harding.

“You don’t need to be able to write the code, but you do need to be able to have a conversation with your engineers,” says Harding in The Times. “You’ve got to be able to speak enough tech to understand what risks you are taking, and have engineers that speak enough English to describe the consequences of the technology risk.”

The calls for pay docking are unnecessary, at least for now, as the EU already has the matter in hand, according to the Financial Times.

“That vague and duplicative proposal is the booming of empty vessels. Business faces tougher penalties and greater scrutiny over stewardship of information – the lack of it – as surely as the British summer bring torrential rainfall,” says Jonathan Guthrie. “The European Commission wants business to report data breaches to governments. Companies would also have to tell customers about serious information thefts. This would mean telling the press too.”

The UK has now voted to leave the EU, but analysts say it remains unlikely our government would get away with protecting consumers less than our neighbours do.

At present companies aim to cover up data breaches and Harding’s speed in announcing the leak was unprecedented. If they are forced to admit it and risk a plunging stock price and customer desertion it is likely most CEOs will start taking cyber security a lot more seriously, regardless of whether their own pay packet is likely to suffer.

TalkTalk chief's pay soars to £2.8m despite hacking woes

21 June

TalkTalk's chief executive Baroness Dido Harding has earned almost three times more in the past year than in the previous 12 months, despite a huge hit to the firm's profits brought about by a cyber attack last autumn.

Harding was paid a total of £2.8m for the year to 31 March, up from £1.05m in the preceding period, the Financial Times reports.

The paper notes that more than £2m of her earnings relate to a long-term incentive scheme based on the company's performance over three years. Harding's base salary rose two per cent to £550,000 and her variable bonus for performance in the past year was halved to £220,000.

She has announced that she will be donating the bonus to the UK charity Ambitious about Autism in recognition of the October hack and its effect on customers.

TalkTalk reported yesterday that its profits have fallen more than 50 per cent, from £32m to £14m, after paying out £82m in exceptional costs. The Daily Telegraph says around £42m of this figure relates to the cyber attack. Costs are expected to eventually rise to £60m, it adds.

In response, TalkTalk has cut bonus payout potential to senior staff from 62 per cent to 40 per cent, which was part of the reason why Harding's variable pay dropped.

The company has lost around 181,000 customers over the past year, plus around 25,000 TV customers. However, it believes it is seeing a recovery and says it added 148,000 new subscribers in the final three months of the year.

TalkTalk's shares rose about four per cent yesterday, but are down around two per cent today to a little below 220p.

TalkTalk ups hacking cost to £60m – but shares rise

3 February 2015

TalkTalk says a major cyber-attack on its systems back in October has cost it as much as £60m and will hit revenues to the tune of £20m again in the first quarter of this year.

Publishing results for the period yesterday, the mobile operator said it added fewer new customers and experienced greater "churn" as clients chose to leave following the attempted hacking. In total, it ended the quarter with 101,000 fewer customers than it began, notes the Financial Times, with around 95,000 of these in direct response to the attack.

This resulted in the loss of around £15m in revenues over the period, in addition to an increased estimate of between £40m-£45m for "exceptional costs", such as consultancy fees, security upgrades and other "incident response" expenses. Reduced revenues of £20m are expected for the three months to March.

The company was criticised for its initial handling of the attack, when it warned that the financial details of all of its four million customers could have been exposed, sparking fears of widespread fraud. In the event, only the incomplete details of around 156,000 customers were accessed.

There was also anger that exit fees were not waived for want-away subscribers unless fraud was proved.

Despite the hefty hit, which far exceeded the estimates issued in November, TalkTalk still managed to grow earnings for the past quarter. True, previous growth rates of around five per cent were not maintained, but at 1.8 per cent, the company performed far better than many had feared and full-year profit guidance is unchanged at £255m-£265m. Dividends are also set to increase 15 per cent.

Chief executive Dido Harding also pointed to evidence to show that customer numbers had improved in December, with the pick-up continuing into January. "Both churn and new connections recovered during December and January and independent external research have revealed that customers believe that we acted in their best interests," she told The Guardian.

Investors therefore reacted warmly, at one point trading shares up by 11 per cent. In the event, it closed up 1.8 per cent yesterday and was up another 0.6 per cent earlier today to 226p, well up on the 184p nadir reached last month.