“TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.

“During a year in which Government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.

“As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time.”

Notes to editors

  • On Wednesday 21st October, while investigating latency on the talktalk.co.uk website, TalkTalk discovered that it had been attacked

  • We took key websites offline and, after receipt of a credible ransom demand, informed law enforcement agencies and the security services

  • The ICO was also notified in line with our statutory obligations

  • Customers were informed on Thursday 22nd October as we worked to establish exactly what had happened and who had been affected

  • We kept customers updated throughout this time, giving them advice on how to protect themselves from scammers. We also offered every single customer 12 months’ free credit monitoring  

  • After a full investigation, it was established that the total number of customers whose personal details were accessed was 156,959.

  • There is no evidence to suggest any customers have been impacted financially as a direct result of the attack, but we have launched a nationwide educational campaign, called Beat the Scammers, to help customers (and the wider public) keep themselves safe from fraudsters

  • Recent ICO fines for data theft/loss include:

    • August 2015: the Money Shop Ltd was fined £180,000 for the loss of an undisclosed number of customer details (including financial information), of which only a few were encrypted

    • February 2015: Staysure.co.uk was fined £175,000 for the loss of up to 100,000 live credit card details (including security numbers) and medical records; 5,000 customers had their cards used by fraudsters as a result

    • November 2014: WorldView was fined £7,500 after the credit card details (including security numbers) of 3,800 customers were stolen by hackers