TalkTalk’s shoddy approach to data governance has been exposed once again after the Information Commissioner’s Office hit the firm with a new £100,000 fine, this time for exposing the records of 21,000 customers to fraudsters in an Indian call centre.
The issue pre-dates the “car crash” hack on TalkTalk website in October 2015, which triggered a record £400,000 fine from the ICO last year and has already cost TalkTalk an estimated £60m.
It first emerged in September 2014, when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers.
The ICO launched an investigation into how customer details – names, addresses, phone numbers and account numbers – were compromised and discovered that the issue lay with a TalkTalk portal through which customer information could be accessed.
One of the companies with access to the portal was Wipro, a multinational IT services company in India, that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf.
An internal investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. Some Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers.
Staff were able to log into the portal from any Internet-enabled device, with no controls in place to restrict access to devices linked to Wipro. They were also able to carry out “wildcard” searches – for example, entering “A*” to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at a time and to export data, potentially offsite, to view up to 500 customer records at a time.
The ICO found this level of access was unjustifiably wide-ranging and put the data at risk.
Information Commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first.”
The ICO said it fined TalkTalk because it did not have appropriate technical or organisational measures in place to keep personal data secure, adding that it should have been aware of the risks and that the misuse of personal data was likely to cause substantial damage or distress.
A TalkTalk spokeswoman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.
“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”
Midlands duo face jail after fessing up to TalkTalk hack
TalkTalk chief bows out ‘after seven fulfilling years’
17-year-old lad pleads guilty to TalkTalk ‘car crash’
TalkTalk could have faced £70m fine under GDPR
TalkTalk rocked by record £400k fine for data breach
TalkTalk flayed over brutal treatment of pensioner
TalkTalk hits back at ‘worst customer service’ claim
TalkTalk claims bounceback despite slump in profits
TalkTalk chief hits back: we’re just the punchball