4Data protection in third party suppliers
26.In addition to the data breach that followed the cyber-attack, we are also concerned by the data breaches that affected third party suppliers to TalkTalk in September 2014 and December 2015.43 Several of these cases were highlighted by the radio programme Moneybox in February 2016; scammers were able to access detailed customer records within 24 hours of an engineer’s visit and use that information to persuade customers to grant access to their personal computers, leading to financial losses. Experiences like this are not limited to TalkTalk but have also affected banking and on-line retail customers.44 In evidence, the Institute of Chartered Accountants in England and Wales argued that many businesses are struggling to get control of their supply chain, and get assurance from suppliers with the highest associated cyber risk.45 We note that in the 2016 Cyber Security Breaches survey, only 34% of large companies set cyber-security standards for their suppliers. All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.
© Parliamentary copyright 2015
17 June 2016