Thursday, 5 November 2015

Have TalkTalk breached the Data Protection Act ? Certainly a possibility..........

With admirable gusto TalkTalk have answered the above question on their own website by saying "No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months".

There we are - no need for any type of judicial system we can all simply decide for ourselves if we have complied with legislation.

In the real world (and given the sanctions from the ICO that TalkTalk has received previously) it is not likely to be as simple as that.

Principle 7 of the Data Protection Act states that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

If reports are true that the attack on TalkTalk was based on SQL injection then, given that Input Validation methods will prevent this, a company the size of TalkTalk would not appear to have taken appropriate measures.

No doubt a commercial decision was taken somewhere within TalkTalk that the cost of defending against an SQL type attack was not justified and that the risk was acceptable.

The problem perhaps is that TalkTalk were trusted to keep customer data safe and had they asked the customer base to decide between staff bonuses or slightly better protection against having all their data stolen the decision would probably have been the latter.

Until we know the nature of the attack and whether appropriate measures had been taken to prevent it it is too early say if a breach has occurred.


No comments:

Post a comment