back to article ICO says TalkTalk customers need to get themselves a lawyer

A Parliamentary inquiry into the TalkTalk security breach heard the Information Commissioner, Christopher Graham, stress that aggrieved TalkTalk customers should lawyer up. People expecting his office to sort out reparations for them should instead take their complaints directly to the telco, the hearing heard. The "TalkTalk …

  1. Anonymous Coward
    WTF?

    Hold on a moment

    Seriously? The Information commissioner stated

    "Graham turned down the idea of companies being liable for data breaches in the face of hackers, but noted that there had previously been three fines for firms hit by SQL injections."

    on the eve or on 28th January 2016, "European Data protection Day".

    1. Sir Barry

      Re: Hold on a moment

      Maybe, the first data breach could be 'free', but any further breaches incur fines.

      After all, if an organisation (such as a hospital or council) loses a CD/DVD/laptop containing peoples info they get fined.

      Why should on-line data breaches be treated differently?

      1. Terry Barnes

        Re: Hold on a moment

        "Why should on-line data breaches be treated differently?"

        Because they're different things?

        One is a failure to take proper care by an employee of the organisation trusted to look after your data. The other is a criminal act undertaken by a third party.

        I'd only expect a company to be liable if they can be shown to have not followed current best practice and taken steps to minimise the likelihood and impact of such an act.

        If I get pickpocketed in M&S I wouldn't expect them to reimburse me unless they could be somehow shown to have been less than diligent.

        1. oldcoder

          Re: Hold on a moment

          That sounds like what they said. Being negligent should get fined.

          1. Sir Barry

            Re: Hold on a moment

            A second breach should be classed as negligent as the website should have been overhauled after the first breach to ensure it didn't happen again.

            1. Terry Barnes

              Re: Hold on a moment

              Even if the second one is down to a different, previously unknown exploit?

              1. John Brown (no body) Silver badge

                Re: Hold on a moment

                "Even if the second one is down to a different, previously unknown exploit?"

                Yes, because these are not unknown exploits being used. They might well have been unknown to the web devs because they were not aware of the holes or never did any pen testing. According to the article, people are teaching their 3 year old kids to do SQL injections and "skiddies" are downloading tools to hack sites. So, it's at least incumbent on the web devs and the companies they work for to protect against these "hacks" which any 3 year old can learn about.and find on the interwebs.

              2. Alan Brown Silver badge

                Re: Hold on a moment

                The second exploit was well-known and has been documented for over a decade.

                The only "unknown" part was down to the website developers believing their own press releases.

                A security audit AFTER the first breach should have found it and a security audit BEFORE the first breach would have avoided the breaches.

            2. LucreLout

              Re: Hold on a moment

              @Sir Barry

              All instances of Sql Injection stem from ignorance by an unskilled developer, coupled with negligence by the company to not adequately verify their product prior to release.

              There's simply no excuse for it in 2016 and it is wholly inappropriate for the ICO to suggest that there might be.

              Little Bobby Tables will be old enough to vote soon!

        2. DaLo

          @Terry Re: Hold on a moment

          "If I get pickpocketed in M&S I wouldn't expect them to reimburse me unless they could be somehow shown to have been less than diligent."

          A better analogy... If you have to leave your wallet with M&S staff to shop at their store and then they put it in an unlocked and unguarded cupboard and someone steals it, would you expect them to reimburse you?

          I know I would.

        3. Anonymous Coward
          Anonymous Coward

          Re: Hold on a moment

          That's a rubbish analogy If you are pick pocketed, *your* wallet is taken out of *your* pocket whilst *you* are responsible for it. How am I supposed to secure my data held by a third party?

  2. Known Hero

    Timeline ?!?!?!

    Your timeline goes

    2015

    2014

    2015

    Personally I'm a fan of the notion that time is linear, but then again maybe I'm turning into a old fuddy duddy ....

    1. NotBob

      Re: Timeline ?!?!?!

      That's the new "common core" history in US schools. Or perhaps it's our new "common core" math. Either way, sounds like something our gov't would have our schools produce.

      Terribly sorry it got out. We'll just rope it and drag it back into the pen over here...

  3. Tony S

    WalkWalk

    "His advice was paraphrased by the committee as: "Don't rely on fines, if you're a TalkTalk customer, walk," "

    Maybe if enough customers did actually WalkWalk, the company might re-think its processes. But I wouldn't hold out any hope for that.

    1. Anonymous Coward
      Anonymous Coward

      Re: WalkWalk

      I did WalkWalk, and got a threatening message about debt collection if i didn't pay money that isn't even owed, requiring me to respond within seven days: I replied on the sixth day, similarly requiring them to respond to me within seven days, and three weeks later I had a response apologising for their slow reply but that the money is still outstanding and again requiring a response within seven days. So i replied again - this time same day, and we're talking December, requiring answers to questions and proof my data now safe or their agreement that there is no money outstanding (and a lack of response would constitute that agreement). Still no response, so obviously they have decided no money is owed to them - after all, if they can demand a reply within seven days or consequences, so can I, and if they claim otherwise, it's an unfair contract.

      I'm still waiting for a call back with contact details for a UK-based manager that I can talk to - since asking for it in November, though ......

      1. Anonymous Coward
        Anonymous Coward

        Re: WalkWalk

        Isn't this simply a case of gross negligence, and thus a breach of their obligations as a supplier under UK law?

        If BarfBarf is given a choice between getting a judgement against them confirmed by a pissed off customer (which nukes any ability to threaten people with debt collection measures) or letting the clever ones slide I reckon BarfBarf will choose the latter.

        They may try a doorstop settlement (letting it go all the way until the day in court), but I suspect pushing it would not be in their interest. Not only would they lose this customer and suffer a lot of collateral damage, the extra publicity alone on how they treat their customers after they screw up would not exactly help enticing new lemmings to fill the gaps.

        If I were BarfBarf marketing I'd quietly let the unhappy customers go without too much of a fight so the noise dies down, and then start with promotions to catch new victims. In a month, the dumb ones won't even remember this ever happened.

        1. Alan Brown Silver badge

          Re: WalkWalk

          "They may try a doorstop settlement (letting it go all the way until the day in court),"

          They have been.

          The danger with that approach is that if the plaintiff wants to, he can insist on getting into court and getting a decision, which given the ICO report is highly likely to go against TT and thereby set guidelines for future cases.

          1. Anonymous Coward
            Anonymous Coward

            Re: WalkWalk

            "They may try a doorstop settlement (letting it go all the way until the day in court),"

            They have been.

            The danger with that approach is that if the plaintiff wants to, he can insist on getting into court and getting a decision"

            Or the former customer can be a stubborn *, and say that they implied they don't want any money anyway by choosing not to reply to questions about what happened - so provide someone who can say what happened, right now, in this court, and you'll be paid. Alternatively, put your CEO on the stand to explain why it was allowed to happen (and what exactly is a "sequential attack", anyway?). So, in pursuit of £50, you get to humiliate your own CEO? Fun all round :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: WalkWalk

        I'm still waiting for a call back with contact details for a UK-based manager that I can talk to - since asking for it in November, though ......

        No problem, they are over eight weeks and complaint is not resolved, you can refer your complaint to the Communications Ombudsman, whether W*nkW*nk like it or not:

        http://www.ombudsman-services.org/who-can-we-help-communications.html

        Simply by taking the complaint up for investigation, W*nkW*nk will be charged a case fee of around £400. They'll probably find in your favour - you won't get much by way of compensation, but you'll have your complaint resolved, and you are not exposed to any risk of paying their costs regardless of the outcome, so hit them where it hurts.

        The same organisation (as the Energy Ombudsman) and broadly similar rules applies to energy suppliers, so any unhappy energy customers should do the same. You can complain before the eight weeks, but to do that you have to have what's called a "deadlock letter", where the company admit that you and they cannot agree - getting one of those out of an under-performing company is like getting blood out of a stone.

    2. Anonymous Coward
      Anonymous Coward

      Re: WalkWalk

      People have short memories, in 6 months all this will have died down and another *10x4 customers will be banging on TT's door for phone and BB because they are *£1.50 a month cheaper than anyone else...

      *random to illustrate a point.

  4. Dan Wilkie

    It's all about that quantum stuff and something to do with strings I think.

    1. string Time

    2. Something Quantumy

    3. Magic

    4. ???

    5. Profit

    I believe is how it goes.

    Yes I'm tired.

  5. Anonymous Coward
    Anonymous Coward

    Go figure

    http://www.powerbase.info/index.php/Charles_Dunstone

  6. Anonymous Coward
    Anonymous Coward

    Can it get any worse for TT?

    http://www.bbc.co.uk/news/technology-35425275

    Call centre workers in India have been arrested.

    1. Alastair Dodd 1

      Re: Can it get any worse for TT?

      This is the mitigation strategy.. find scapegoat (india outsourcing).

      Hold up scapegoat and say "look here's the breach, our security's not shit honest".

      'Sack' India outsourcing firm very publicly - state issue solved (meanwhile outsourcing firm paid off to find scapegoat/distraction, outsourcing company restructures and renames, 'new' company 'starts' working for Talk Talk).

      Pay rise all round (exec level) for dealing with this terrible incident, carry on shitting on any decent IT security staff they have.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can it get any worse for TT?

        "Hold up scapegoat and say "look here's the breach, our security's not shit honest"."

        if they want to deflect responsibility, it's easy - hold up the person who hired that outsourcing firm, and the people in finance up to CFO-level who approved the business case, and the CEO who OK'd the decision - then get rid of all of them. Publicly, and for cause - not just allow contracts to expire or people to resign/ find another job first. Responsibility deflected - from company. Contractual liability, not deflected at all - they still have issues under both data protection and Supply of Goods and Services, where they are clearly in breach in choosing not to exercise diligent control over the customer information.

  7. FlamingDeath Silver badge

    Hey BalkBalk,

    The '90's called, they want their SQL injection back.

    Regards,

    Skiddie

  8. Derichleau

    ICO not fit for purpose

    The Ombudsman is currently investigating the ICO as it's likely that many thousands of complaints made by the public over the years have been incorrectly assessed so that they support the companies that people are complaining about. The ICO's case officers have been siding with companies because they lack the skill to challenge them.

    http://www.mindmydata.co.uk/analysis/ico_ombudsman.asp

    1. Vic

      Re: ICO not fit for purpose

      The ICO's case officers have been siding with companies because they lack the skill to challenge them.

      I once put a compaint into the ICO.

      It was dismissed because the defendant said he hadn't done what I'd alleged[1].

      Vic.

      [1] Yes, I had provided proof.

  9. Camilla Smythe

    Maybe some people can Lawyer Up...

    ...and take the ICO to court for failing to do their job properly...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like