TalkTalk Not “Legally Required” to Protect Customer Data

TalkTalkCyberthieves recently hacked into British internet provider TalkTalk’s server and stole personal information on many of the company’s 4 million customers.

A 15-year-old suspect has been arrested in the case. As pointed out by the Financial Times,

…the arrest of such a young suspect will raise concerns about the ease with which the hack was carried out. The attack on TalkTalk’s website has been described as relatively unsophisticated by cyber experts.

All of that is bad enough, but so far there’s nothing unusual here. “Just” another hack exposing millions of peoples’ sensitive personal information.

What REALLY makes this story newsworthy – and shocking – is a statement that TalkTalk’s CEO, Dido Harding, made to The Sunday Times:

“[Our data] wasn’t encrypted, nor are you legally required to encrypt it,” Harding told the Sunday Times. “We have complied with all of our legal obligations in terms of storing of financial information.”

That’s an excuse for not protecting sensitive customer data?

And this is not the first time that TalkTalk has been hacked into this year. It’s not even the second time. It’s the third time. The company was also hit with data breaches in February and in August.

You would think that the “third time’s a charm.” That by the third time, Harding would have learned her lesson and would be contrite and talking about the urgent measures the company is taking to improve security. Instead she makes excuses that “we have complied with all of our legal obligations…”

The company clearly has NOT complied with its moral obligation, its ethical obligation, to safeguard sensitive customer information. The internet is a fast-moving place. Executives cannot sit on their behinds and wait for the government to tell them what to do. More regulation is coming, no doubt. And equally without doubt the new regulations will be obsolete by the time they go into effect.

Businesses need to be proactive in protecting customer data – both because it’s the right thing to do, and because companies that don’t do so will find their customers voting with their feet and switching to companies that ARE committed to protecting their data. Oh, and then there are the inevitable lawsuits for not taking reasonable precautions in protecting customer data, and the major hit to share prices when a company gets a lot of bad press.

We’re amazed that a company in the internet business could take such a lackadaisical view toward data security.