UK service provider TalkTalk has been fined £100,000 (€110,500) by the Information Commissioner’s Office for failing to “look after its customers’ data”.
An ICO investigation found TalkTalk breached the Data Protection Act, as it allowed staff to access large quantities of customers’ data due to “lack of adequate security measures”.
This left data open to “rogue employees”, who could access customers details like names, addresses, phone numbers and account numbers.
The breach came to light in September 2014 after TalkTalk started getting complaints from customers that they were receiving fraudulent service calls, with scammers able to quoted customers’ addresses and TalkTalk account numbers, according to the ICO.
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” said Information Commissioner, Elizabeth Denham. “TalkTalk should have known better and they should have put their customers first.”
TalkTalk’s own investigation found that three accounts used by India-based IT services and outsourcing company Wipro had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.
The ICO fined TalkTalk because it found it had breached the seventh principle of the Data Protection Act by not having appropriate technical or organisational measures in place to keep personal data secure.
Separately, TalkTalk was the victim of a cyber attack in October 2015, with the breach exposing customers’ email addresses, names and phone numbers, as well as bank account numbers and sort codes.
It later transpired that a 17 year-old boy was behind the hack. He was given a 12-month youth rehabilitation order after admitting seven offences related to the hacking in a hearing at Norwich Youth Court last year.