TalkTalk fined £100,000 after carelessly exposing customer data. Again.

UK telecoms operator TalkTalk has been fined £100,000 for failing to protect the personal information of consumers, after the details of 21,000 customers were leaked.

The breach, first claim to light in September 2014 after TalkTalk customers began to complain that they were receiving telephone calls from scammers. Most commonly the fraudsters would pretend that they were calling from TalkTalk support about technical problems, and quote customers’ addresses and account numbers in an attempt to appear more legitimate.

According to an investigation by the Information Commissioner’s Office (ICO), the information had been accessed through a TalkTalk portal used by Wipro, an Indian IT services company that resolved customer complaints on TalkTalk’s behalf.

In January 2016, three Wipro employees were arrested in connection with the scam calls, which had been flooding TalkTalk customers. In all it was determined that the personal details of up to 21,000 customers had been accessed.

An investigation discovered that some 40 Wipro workers were able to access the data of between 25,000 and 50,000 customers, and that the data itself was poorly protected to prevent abuse.

For instance, staff were able to:

• log in to the portal from any internet-enabled device. No controls were put in place to restrict access to devices linked to Wipro.
• carry out “wildcard” searches – for example, entering “A*” to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at a time and to export data.
• view up to 500 customer records at a time.

Such powerful and wide-ranging access to sensitive data was clearly asking for trouble, in the opinion of the ICO:

“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” said Information Commissioner Elizabeth Denham. “TalkTalk should have known better and they should have put their customers first.”

All companies should have appropriate technical or organisational measures in place to keep personal data secure, says the ICO’s report which notes that TalkTalk had “ample opportunity over a long period of time to implement appropriate measures, but it failed to do so.”

And although no direct evidence has been found between the data breach and the spate of scam calls that TalkTalk customers have received over the years, I don’t think anyone could be criticised for assuming that they are somehow connected.

Of course, this isn’t the first time that TalkTalk has found itself under the spotlight for a serious security breach.

Most infamously there was the headline-grabbing hack of October 2015 where the personal details of 157,000 TalkTalk customers and approximately 15,600 bank account numbers were stolen. That breach came about because of a spate of shameful security practices, and resulted in TalkTalk receiving a record fine.