Cyber Security: Protection of Personal Data Online Contents

4Data protection in third party suppliers

26.In addition to the data breach that followed the cyber-attack, we are also concerned by the data breaches that affected third party suppliers to TalkTalk in September 2014 and December 2015.43 Several of these cases were highlighted by the radio programme Moneybox in February 2016; scammers were able to access detailed customer records within 24 hours of an engineer’s visit and use that information to persuade customers to grant access to their personal computers, leading to financial losses. Experiences like this are not limited to TalkTalk but have also affected banking and on-line retail customers.44 In evidence, the Institute of Chartered Accountants in England and Wales argued that many businesses are struggling to get control of their supply chain, and get assurance from suppliers with the highest associated cyber risk.45 We note that in the 2016 Cyber Security Breaches survey, only 34% of large companies set cyber-security standards for their suppliers. All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.

43 Talk Talk CYB0031 paragraph 1

44 Tim Coote CYB0011 point 1

45 ICAEW CYB0017 point 5

© Parliamentary copyright 2015

17 June 2016