Four years after the news broke that the personal data of over 150,000 UK TalkTalk customers had been stolen, the cost of the breach, both financially and reputationally, is still being reported. In the past four years we’ve heard of larger and larger data breaches and with the European GDPR now in effect, much greater fines are being issued by the ICO (Information Commissioner’s Office) and other governing bodies. So, why is the TalkTalk data breach still making headlines?
We now know that 4% of TalkTalk customers (over 157,000 people) had their data stolen – bank details, email addresses, phone numbers and some partial credit card data. Within four months of the breach being reported they had lost 101,000 customers. At the time TalkTalk tried to negate these losses by offering all customers free upgrades to their services and have had to keep prices low in order to both retain and attract customers. It wasn’t until 2017 that they reported a rise in customer numbers, and in February of this year although they have maintained increases in new customers, they are making less money from each one. This demonstrates that not only will customers leave in the event of a breach, it will also deter potential new customers. Our own research has shown that 41% of UK consumers will stop spending with a brand permanently after a breach, and although TalkTalk haven’t lost 41% of their customers it’s clear they have had to make adjustments to limit the loss of customers and regain the remaining’s trust.
In 2016 the ICO fined TalkTalk £400,000, at the time this was the largest fine for a breach in the UK. Considering TalkTalk is valued at over £1 billion the fine was a small proportion of revenue. However, the additional costs of the breach have been estimated at around £60 million. How is this possible?
Firstly, sales operations had to be shut down for some time whilst their systems were fixed and in the immediate aftermath of the breach becoming public the share price dropped steeply and wiped 30% off the company’s market value. Fast forward four years and the share price is still a fraction of what it was prior to the breach, so the total cost of the breach is in fact much higher than the estimated £60m plus the original fine from the ICO.
The TalkTalk case was the first large scale data breach to hit the headlines in the UK. While there have been other breaches which have been larger in scale and in financial loss, TalkTalk is still in the news because the impact is still being felt by consumers and the business alike. When the lack of management of the breach is considered alongside the financial cost caused by the damage to reputation it serves as a stark warning to businesses to take data privacy seriously and where possible ensure there is no data for hackers to take in the first place.