SaaS Agreements – Data Protection – TalkTalk Fine

SaaS customers and SaaS Suppliers should be aware that in October 2016 the Information Commissioner’s Office (ICO) issued a £400,000 fine against TalkTalk for serious breaches of the Data Protection Act 1998 (DPA). The fine was issued in relation to the hacking of personal data stored in a database that was accessible via the Internet.

TalkTalk Case

In 2015, a cyber-attack exploited vulnerabilities in some web pages leading to the extraction of personal data from an underlying database of customer data operated by TalkTalk. The data accessed included names, addresses, email addresses, telephone numbers and dates of birth of more than 150,000 customers and the bank account numbers and sort codes of more than 15,000 customers.

Breach of Data Protection Law

The ICO determined that TalkTalk had breached the 7th principle of the DPA as they had not taken appropriate technical and organisational measures against authorised or unlawful processing of personal data. Nor had TalkTalk taken appropriate technical and organisational measures against accidental loss or destruction or damage to personal data.

The ICO came to this conclusion on the basis that:

  • There were minimal levels of protection of personal data in place;
  • Use of out of date software had allowed the database to be accessed using a basic cyber-attack; and
  • A well known patch designed to fix this issue had been available for 3 years but had not been installed by TalkTalk.


£400,000 is the highest fine that the ICO has issued to date. Such a large fine was issued because:

  • The personal data included names, address, email addresses and bank account information;
  • Such data was likely to cause the individuals concerned substantial distress and would expose them to an increased risk of blagging, phishing and fraud; and
  • The breach was not a one-off event (there had been previous cyber-attacks); and
  • The breach was not attributable to human error.

How to Avoid Similar Breaches

SaaS customers and SaaS suppliers should reduce the risk of having a similar fine imposed on them for breaches of the DPA by taking the following basic precautions:

  • Using current patches;
  • Checking and monitoring for potential vulnerabilities in webpages and databases;
  • Regularly reviewing security measures;
  • Staying informed about attacks to other businesses; and
  • Identifying, responding to and acting appropriately to actual and attempted cyber attacks.

Also, SaaS customers and SaaS suppliers should bear in mind that from the 25th of May 2018 the ICO will have increased powers to issue much higher fines under the General Data Protection Regulation (GDPR) of 4% of a group’s total worldwide turnover or €20 million, whichever is higher.


Irene Bodle is an IT lawyer specialising in SaaS, with over 15 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

To register for my newsletter click here


Other related articles: