5.Although the TalkTalk cyber-attack in October 2015 was the trigger for this inquiry, it is essential to put this attack in context. Cyber-crime is a significant and growing problem and affects all sectors with an on-line platform or service. As the British Business Federation Authority said in their evidence to the Committee:
The TalkTalk incident is one of many that have happened and continue to happen. To consider it in isolation of others would be misleading. The overall context is complex and changing fast... The problem space is international.
6.According to evidence submitted by the Federation of Small Businesses (FSB), a third of their members had been the subject of cyber-crime. The FSB also cited the PricewaterhouseCoopers (PwC) 2015 Information Security Breaches Survey, conducted on behalf of the Department for Business, Innovation and Skills, which found that 90% of large organisations had experienced a security breach. The recently published Cyber Security Breaches Survey 2016 commissioned by the Department for Culture, Media and Sport (DCMS) found that 25% of companies experience a cyber-breach at least once a month.
7.The Internet Telephony Services Providers’ Association emphasised that data breaches are not unique to the telecommunications sector, and indeed the latest research from the Information Commissioner’s Office (ICO) shows that the health sector has the most data breaches, followed by local government. Furthermore, it is also important to make clear that not all threats to cyber security or data protection are from external actors. Research from Intel showed that 43% were caused by internal actors (employees, contractors and third party suppliers) and half of these were accidental.
8.Companies and organisations are responding to the cyber-threat in different ways. The 2015 PwC Information Security Breaches survey found that 49% of companies are accredited to the Government’s Cyber Essentials and Cyber Essentials Plus scheme, or are on their way to accreditation. The 2016 Cyber Breaches Survey found that 51% of companies had completed five or more of the Government’s Ten steps to Cyber Security. In evidence, Dido Harding underlined that TalkTalk used the ‘Ten Steps to Cyber Security’ and was going through the accreditation process to the Cyber Essentials programme.
9.It is also essential to put this attack in the context of the regulatory framework. As the end result of the TalkTalk cyber-attack was a personal data breach, the lead regulator here is the Information Commissioner’s Office (ICO), which is responsible for compliance with data protection law. As the regulator for electronic communications networks and services, however, Ofcom was also involved. In the year to March 2015, the ICO received 14,368 “concerns” under the Data Protection Act and around 180,000 under the Privacy and Electronic Communications Regime. In the same period the ICO received 285 reports from communications service providers, who are required to notify the ICO of any security breach within 24 hours, under the Privacy and Electronic Communications Regulations (PECR). The ICO’s enforcement section of 30 staff are dealing with approximately 1,000 cases at any given time.
10.The ICO conducted an audit of TalkTalk in September 2014, which resulted in a number of suggestions but did not give the ICO any reason to put TalkTalk on a ‘watch list’. In written supplementary evidence, TalkTalk stated that they had reported 14 data breaches to the ICO over the previous two years, including two separate internal data breaches involving third party suppliers in September 2014 and December 2015.
9 Intel Security
12 Dido Harding oral evidence Q77
13 Ofcom written evidence paragraph 3.2
15 ICO oral evidence Q169
16 Talk Talk supplementary evidence
17 June 2016