TalkTalk paid its chief executive, Dido Harding, an extra £1.8m last year when the telecoms company suffered a cyber-attack that cost it £60m and 101,000 customers.
Baroness Harding received £2.81m for 2015, up from £1.05m the year before, the company’s annual report showed. Her pay, including £550,000 salary, increased because of a £1.97m payout under TalkTalk’s long-term incentive plan (LTIP). The payment covered TalkTalk’s performance from 2012 to 2015 and was half the maximum Harding might have received.
Harding’s cash bonus almost halved to £220,000 from £432,000 – a cut the company said was due to the cyber-attack. Harding has donated the bonus to the charity Ambitious about Autism in recognition of the problems caused by the cyber-attack.
She would have been eligible for £343,000 under the terms of the bonus plan but “in the context of the cyber-attack on TalkTalk and after careful consideration, the remuneration committee has exercised discretion and determined that the annual bonus should be at a reduced level”, the company said.
TalkTalk revealed Harding’s pay arrangements as MPs on the culture, media and sport committee called for chief executives’ earnings to be linked to the security of their company’s computer systems. Their report criticised TalkTalk’s lack of preparation for a large cyber-attack.
TalkTalk’s computer systems were hacked in October in what was originally feared to be a mass raid on customers’ personal data. The attack proved to be less widespread than first believed, with about 4% of the company’s 4 million customers affected and no financial loss to customers despite the partial disclosure of payment details.
After TalkTalk was slow to notify customers and the data protection watchdog, Harding took to the airwaves to limit the damage and gained credit for taking personal responsibility for the attack. She admitted the company had underestimated the problem and promised to improve its operations.
But customers were left seething by uncertainty created by the company’s initial handling of the attack and its slack security systems. TalkTalk also refused to let people terminate contracts without incurring charges, and instead offered them a free upgrade, which almost half a million customers took up.
In the annual report, Sir Charles Dunstone, TalkTalk’s chairman, said the company had recovered strongly since the cyber-attack.
“By communicating honestly with our customers to help them protect themselves, we not only set a new standard of openness and transparency for large businesses dealing with such challenges, we also demonstrated that TalkTalk is a business brave enough to put our customers’ interests first.”
The culture, media and sport committee published a report based on its investigation triggered by TalkTalk’s security breach. Harding gave evidence to the inquiry in December.
The MPs said TalkTalk had not done enough to prepare for an attack on its systems and slowness to protect computer systems was weak across British industry. They recommended measures including:
- A chief executive’s pay should be based partly on maintaining effective cybersecurity to reduce the chances of a crisis.
- Companies should appoint an officer with day-to-day responsibility for protecting computer systems from attack.
- It should be easier for consumers to claim compensation if they are the subject of a data breach.
- Companies should report on their cybersecurity measures and show they have identified and dealt with weaknesses if a breach occurs.
Jesse Norman, the committee’s chairman, said: “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
“As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.”
Norman said TalkTalk should release details of a report the company commissioned from PwC into its security systems as soon as possible. He also said a report by the information commissioner was taking too long and that the agency appeared to be understaffed.
