/ Technology

Where’s the consumer protection when data protection fails?

Data breach

Eight months after TalkTalk’s data breach, the Culture Media and Sport Committee has published findings from its inquiry into cyber security and the protection of personal data.

The Committee heard from a range of experts and businesses, including TalkTalk’s Chief Executive Dido Harding, TechUK and the Information Commissioner on the growing threat of cyber-attacks on all businesses with an online platform or service.

And it seems businesses are found wanting. Worryingly, 90% of large companies have experienced a security breach, with 25% of companies experiencing a cyber-breach at least once a month. So it’s no surprise that consumers are increasingly concerned about data protection and cyber-security.

Data protection

The Institute of Customer Service said that over 1 in 4 people are most concerned that cyber-attacks might compromise their personal information and could result in a financial loss.

And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.

Interestingly the Culture, Media and Sport Committee also received evidence from a number of individuals claiming to have fallen victim to scam calls, having been hounded by nuisance calls since their personal data had been leaked as a result of the data breach.

The problem is that when things go wrong the picture isn’t so rosy. The Committee noted that redress following a data breach is still too difficult.

In order to get compensation for damages, individuals may need to take legal action through a small claims court. This can be a long and costly process with no guarantees of success. But in some circumstances, if you fall victim of a data breach then there’s also no automatic right to terminate your contract early.

Instead when your personal data has been leaked, you’re left exposed to scams and your trust in a company has diminished as a result of a data hack, there’s not always a simple get out clause. Early contract termination is usually at the gift of the company and part of it’s original terms and conditions – often one that you won’t be aware of until it’s too late.

Next steps

So it’s positive that the Committee has acknowledged, interrogated and attempted to address these challenges – it recommended that more support and guidance should be offered to individuals to make a small claim for compensation, and that telecoms and mobile companies should provide clearer terms and conditions on the right to terminate a contract early.

But it still seems like it’s not enough. When there’s an industry-wide problem in facing the threat of cyber-attacks and hacks, why is it that consumers are still the ones facing the costs and consequences?


This comment was removed at the request of the user

Virginmedia is a 0845 number

I recently became a victim of a scam whilst booking a holiday rental on the Homeaway.co.uk website. My details were compromised whilst making genuine queries about the availability of properties. The way I was scammed only suggests that it was an inside job and my personal details were used in order to advertise a fraudulent listing which met my exact criteria enticing me to book and part with £1700. The company are being very arsy and not giving me an explanation of how this breach happened. They generalised it by saying that sometimes their website does become a victim of a fraudulent listing but this was very rate. That is not the case Homeaway/ owners direct have been having issues with these sort of scams since 2010 and 6 years on they’re security is no better, and they still don’t accept any liability. The government needs to do something about companies like homeaway.co. uk and make them accountable then maybe they’ll take the safety and security of their customers seriously.

The ICO should be taken to task for using woolly words like “reasonable “in their guidance. Companies have to take reasonable steps. What I consider reasonable will be totally different from an IT director, and therein lies the problem.

Security breaches could be almost done away with if companies actually encrypted their data at source. Many hackers aren’t going to want to spend time hacking a system their get get the data from. But I imagine many companies haven’t done this do to the cost of not designing the system properly in the first place.

They could always force companies who have been breached to stop using overseas call centres, many talk talk scam phone calls have come from asian call centres.

“And our own research found that of the people we asked, half of them avoid using certain online services, apps and products for fear of being targeted by scammers.”

Can you provide a link to the research please?

I agree, and I would like to see the basis of the “research” that I believe is often subcontracted. I don’t recall ever having been asked to take part in such research despite being a Which? and Connect member for many years. Which have 40 000 Connect members they could ask – a representative good size sample I would think.

What background information do they present to those surveyed? What questions are asked. I’d like to know. Some survey results come as a surprise: “In our survey of Which? campaign supporters over the weekend, 94% of nearly 30,000 people told us that car manufacturers are not being fair to UK consumers.” for example. Really?? Fair in what respect? I’d need some convincing, but the basis of the research would help.

Making organisations and companies pay when they are negligent in the way they hold and handle data will either result in it being seen as a business expense if it is too low or may incentivise them to invest in better security and discipline if it is pitched at the right level. Public bodies of course needn’t worry because the tax payer will fund it. I guess the problem will be proving negligence.

And how we really stick it to those who deal in personal details … NOT

You really really have to hand it to the ICO

The amount paid was probably the reduced £104,000 and the executives get off scot-free. One person, possibly one whose details were sold, lost £16,000 to the Australian scammers.

I am faintly disturbed by the difference in emphasis in this article and what appears on the Government site. The requested for jail sentences and a beefed up ICO should be mentioned.

17 June 2016
The Culture, Media and Sport Committee publishes report recommending a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data. It has also said the Information Commissioner’s Office (ICO) should also have a robust system of escalating fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The Chairman was fairly tough particularly in the last two paragraphs

“Chair’s comment – Jesse Norman MP, Chair of the Committee, said:

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

They should now publish as much of the PWC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes. Everyone must take the lessons from the Talk Talk breaches as a wake-up call – both in how they prepare to prevent cyber-attacks, and in how they deal with their consumers when those attacks occur.”



Just goes to show how well our data is secured. These are not highly dangerous breaches but for scammers they can provide enough details to be useful.

Ransomware with a new twist. And an additional password stealing attachment.


This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan: there is a total of one person in the world known to have been caught by this code flaw, exploited by an Israeli security firm and sold to Governments. It’s not new, either, but simply an extension of the Pegasus spyware discovered a couple of weeks ago. The only new fact is that the flaws have been discovered to affect Safari as well, and thus the potential vulnerability extends to all Apple kit. Fortunately, Apple’s excellent update service had already pushed the updates out several days ago, so things are now fixed. Until the next time, of course…

A few years ago(2011-2012) I was a customer of Eon the utility company,for some reason or anotherthey opened an account in my name and billed me for £80.00 for a property I had nothing to do with. Firstly they started to bother me by phoning twice a day early mornings and weekends, after threatening to report the matter to the I.C.O they stopped and passed on my details to four different debt collection companies. I reported the matter again to the I.C.O and I was told to write to the energy company’s ombudsman? Me and my family are terrorised with telephone calls that have only recorded messages.

This comment was removed at the request of the user