TalkTalk hack: Companies could face bigger fines for failing to protect customer data
Companies could face bigger fines for failing to protect customer data from cyber attacks, the Cyber Security Minister has suggested after the major hack of TalkTalk's website.
Ed Vaizey said the Information Commissioner's Office (ICO) can already levy "significant fines" but told SNP frontbench spokesman John Nicolson he was "open to suggestions" about how the situation could be "improved".
TalkTalk is facing a maximum fine of £500,000 but Mr Nicolson described this is small and "clearly not terrifying" for a company with an annual revenue of £1.8 billion a year.
During an urgent question on the hack, the SNP MP said: "In the United States AT&T was fined £17 million for failing to protect customer data.
"In the United Kingdom, the ICO can only place fines of up to £500,000.
"For a company which received an annual revenue of nearly £1.8 billion last year, a fine that small will clearly not be terrifying.
"The regulation of telecoms must be strengthened to protect consumers so will you agree that telecom providers must be held fully responsible for failing to protect confidential data and regulation needs to be strengthened to ensure this?
"Free counselling from TalkTalk is meaningless twaddle I'm afraid."
Mr Vaizey replied: "Obviously the Information Commissioner's Office will be looking at this data breach and they do have extensive powers to take action and indeed to levy significant fines but we're always open to suggestions about how that could be improved and as I said in an earlier answer I'll certainly meet the Information Commissioner's Office to look at what further changes may need to be made in light of this data breach."
Meanwhile, Culture, Media and Sport Select Committee chair Jesse Norman suggested firms should be required by law to encrypt their customer's data as it appeared TalkTalk had not.
The Conservative MP said: "May I ask you whether you noted that much of this information as it appears had not been encrypted and whether there is in fact a case for requiring encryption of customer data in other companies such as this in future?"
Mr Vaizey replied: "It has to be said that companies should encrypt their information and there has been some misinformation that the Government is somehow against encryption."
Police are investigating Wednesday's attack, which TalkTalk said had affected its website rather than its "core systems".
Scotland Yard is investigating alongside the National Crime Agency (NCA) but no arrests have been made.
Officers are investigating a ransom demand sent to the telecoms giant following the attack by someone claiming to be responsible and seeking payment. The firm said it was not sure if the message was genuine.
The latest breach is the third in a spate of cyber attacks affecting TalkTalk in the last eight months, with breaches in August and February also resulting in customers' data being stolen.