TalkTalk chef executive Dido Harding has claimed Scotland Yard told the company to ignore Information Commissioner’s Office guidelines and cover up the hack attack on its systems, so that it would not hamper efforts to try to catch the culprits.
Although it is not yet a legal requirement to notify customers of a data breach – something that is likely to change once the EU data protection reforms have been passed – the claim will infuriate the ICO which has stressed the need for companies to be open and transparent.
In fact, TalkTalk was slammed by the Information Commissioner Christopher Graham, following the October 21 attack, for failing to tell its 4 million customers until the next day.
Appearing in front of MPs on the Commons Culture, Media & Sport Select Committee, Harding said TalkTalk was also told there was a risk other firms had suffered a similar attack.
She said: “I was clear by the lunchtime on the Thursday [22 October] that the sensible thing to do to protect my customers was to warn all of them because I could help make them safer. The advice we received from the Metropolitan Police was not to tell our customers.
“I totally understand why the police wanted us to stay quiet, because they have got a different objective – they want to catch the criminals.”
Under changes likely to be passed this week in Brussels, fines for non-compliance of the EU General Data Protection Regulation could be as high as €100m (£70m) or up to 5% of a company’s annual global turnover – although some commentators believe this will go down to 2%.
However, if the new rules had already been in place when TalkTalk was hacked, it could be facing a fine of nearly £90m, based on its turnover of £1.8bn. That is in addition to the £35m in one-off costs, it has already set aside, and the cost of any resultant legal action from customers.
Five people have now been arrested over the incident, which saw the theft of 15,656 bank account numbers and sort codes and 28,000 obscured credit and debit card numbers.
The latest arrest was made in Llanelli, Wales, late last month, after police searched an address there. The person has been released on bail without charge while police continue their investigation.
Three teenagers and a 20-year-old had already been seized on suspicion of offences under the Computer Misuse Act. The other arrests were made in County Antrim, Northern Ireland, and in Feltham, Norwich, and Staffordshire, England.
Firms must wake up to EU data breach rules – or else
Police seize teenager over TalkTalk ransom demand
Experian and TalkTalk put aside £50m – and counting
TalkTalk chief hits back: we’re just the punchball
TalkTalk under fire as 4m customers hit by hack