TalkTalk is facing a High Court showdown on the back of two data breaches – including its notorious 2015 “car crash” hack attack – with the launch of a class action compensation claim through law firm Leigh Day.
The case, Graeme Smith & 353 Others v Talk Talk Telecom Group PLC, is the latest in a long line of class actions being brought in the UK and follows a four-year campaign by the law firm to attract customers affected by the incidents.
In the first breach, in 2014, contractors in India gained unauthorised access to the personal information of up to 21,000 customers, including names, addresses, phone numbers and TalkTalk account details.
It first emerged when TalkTalk started getting complaints from customers that they were receiving scam “phishing” calls. Typically, the scammers pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers and then tried to get customers to hand over their bank details.
The company was eventually fined £100,000 by the Information Commissioner’s Office for failing to have adequate security measures in place to prevent this breach.
TalkTalk, at the time spearheaded by the new Government advisor Dido Harding, was also fined £400,000 by the ICO over the 2015 hack attack, which the regulator said was carried out “with ease” due to “TalkTalk’s failure to implement the most basic cyber security measures”.
The ICO investigation found that the attacker accessed the personal data of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
Following the fine, Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate [its] systems with ease.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
The breach eventually cost TalkTalk an estimated £77m and led to tens of thousands of customers defecting to rivals. The ringleader of the hacking gang was jailed for four years in June last year; two others were given 18-month sentences in 2018.
However, TalkTalk’s failure to properly compensate the 170,000 customers who had been affected by both incidents is the main driver of the class action.
Initially, the telecoms company offered just 12 months of free credit monitoring alerts as recompense. And for customers who wanted leave, TalkTalk said it would only waive termination fees for customers who had had money stolen directly from their account.
The firm eventually offered free upgrades for its customers, without any additional commitments, but even this was deemed inadequate.
The exact level of compensation Leigh Day is seeking is not known but, following the Court of Appeal’s decision on the Lloyd v Google “iPhone tracking” case on October 2 2019, if it wins compensation, all those who have been affected will be entitled to a payout, even if they did not join the class action.
Marriott faces data loss claim – will it open floodgates?
‘Utterly ruthless’ TalkTalk hacker jailed for four years
Duo jailed for 18 months for £77m TalkTalk hack attack
TalkTalk chief bows out ‘after seven fulfilling years’
17-year-old lad pleads guilty to TalkTalk ‘car crash’
TalkTalk rocked by record £400k fine for data breach
Coppers told TalkTalk to keep schtum over breach
Three held at TalkTalk call centre for data theft
TalkTalk chief hits back: we’re just the punchball
TalkTalk fined £100,000 over India call centre failings
TalkTalk rocked by ‘industrial scale Indian fraud gang’