Yes, hackers breached TalkTalk’s systems and probably stole the personal information of many of the British Internet provider’s 4 million customers. But the company wasn’t legally required to do everything it could to protect customer information, according to embattled CEO Dido Harding.

Harding was responding to the growing uproar over the third TalkTalk hack this year when she implied the company could have done more to stop the theft of customer data. Stolen data includes names, addresses, dates of birth, email addresses, credit card details and banking information. The attackers have since threatened to post the stolen information on a dark net forum unless TalkTalk pays a £80,000 (roughly $123,000) ransom in bitcoins.

“[Our data] wasn’t encrypted, nor are you legally required to encrypt it,” Harding told the Sunday Times. “We have complied with all of our legal obligations in terms of storing of financial information.”

Harding’s comments won’t win her any customer service awards, but it looks like she’s right. The Data Protection Act, which regulates the collection and storage of personal data in the United Kingdom, stipulates that “appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

There’s no mention of encryption in the law, but experts suggested TalkTalk could be on the hook for after failing to encrypt customer data after two previous data breaches. The company was hacked in both February and August of 2015.

“It is the Great Train Robbery of the 21st century,” Aiden Culley, a former Metropolitan Police detective told the Sunday Times. “There is a potentially huge liability for TalkTalk as a result of this.”

TalkTalk has yet to confirm how much data was actually taken, merely warning customers to change their passwords. The hackers claim to be Russian jihadis (there’s no evidence to support this, according to cybersecurity journalist Brian Krebs) and have already announced their intention to post the data on AlphaBay, an online black market that specializes in stolen credit card numbers.