TalkTalk customers must prove fraud to avoid cancellation fees
With investigations making progress and a 15-year-old suspect in custody following a "significant and sustained" attack on its website, TalkTalk has begun notifying customers of their next steps. In its latest update, the company says that "as a gesture of goodwill," subscribers wishing to cancel their service can have their termination fees waived only if they can prove they had money stolen from them. Personal details including names, addresses, phone numbers and credit card/account numbers were taken in the attack, but the company later clarified that banking data was obfuscated and could not be used to directly empty customer accounts.
"In the unlikely event that money is stolen from a customer's bank account as a direct result of the cyber-attack (rather than as a result of any other information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees," says TalkTalk on its website.
TalkTalk is certainly taking a hard line, but with a potential customer exodus on its hands, it's ready to enforce its terms. Over the weekend, company chief Dido Harding told the Sunday Times that the company wasn't legally required to encrypt customer data: "[Our data] wasn't encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information."
UK data laws require companies to take "appropriate technical and organisational measures" to reduce the chances of accidental loss or destruction of personal data, but they don't specify that information needs to be encrypted. TalkTalk reiterates this point, even though it'll likely do nothing to strengthen goodwill from customers who have seen their details compromised.
While the scope of the TalkTalk hack is still unknown, the attack has raised numerous questions over how companies store personal details. MPs have already confirmed they will launch an inquiry into attack, with Culture minister Ed Vaizey telling the House of Commons that the government is not against the compulsory encryption of customer data.
