It was just last week that I told you about the major data breach at British communications company TalkTalk, which provides broadband, phone and cable services. Personal information of as many as four million customers may have been stolen. The compromised information included names, addresses, email addresses, telephone numbers, credit card numbers and bank account details. This latest data breach is the third time in the last year that TalkTalk has suffered a data breach. Police in England and Ireland have arrested a 15 year old boy and a 16 year old boy in regard to the data breach although, as I write this, neither boy has been specifically charged with the crime.
Meanwhile, in one of the lamest excuses ever heard, Dido Harding, the Chief Executive Officer of TalkTalk said that the company’s data “wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing financial information.” Whether TalkTalk indeed has complied with all of the legal requirements regarding the storing and protecting of financial information is actually irrelevant. What is relevant is that TalkTalk obviously doesn’t understand the necessity of protecting its data. Whether or not there is a legal requirement to encrypt its data, they should be doing so as an elemental aspect of data security. When a company that has suffered three data breaches in a single year defends itself by saying it is complying with the minimum requirements of the law regarding data storage it show that it is absolutely clueless.
No one should ever do business with a company like TalkTalk which through its words and actions have shown that they do not make a sufficient commitment to data security. The laws should be strengthened to require greater data security steps by companies, however, merely as a good business practice, companies should, and many are, making greater commitments to cybersecurity. We as consumers are left at the mercy of the companies and governmental agencies with which we do business. If they have weak security, we have weak security. Therefore, as much as you can, limit the personal information that you provide to companies and governmental agencies with which you do business and only do business with companies that show a real commitment to cybersecurity.