TalkTalk fined £100,000 for not protecting customers' personal data

Broadband provider found to have put 21,000 subscribers’ data at risk by allowing ‘rogue’ staff at Indian contractor access to it

TalkTalk has been fined £100,000 by the Information Commissioner’s Office (ICO) after the telecoms giant was found to have placed personal data from 21,000 customers at risk.

An ICO investigation found the company breached data protection laws after staff from an IT firm working with TalkTalk were able to access large amounts of customer data through an online company portal.

According to the investigation, “rogue” staff at Indian firm Wipro, who resolved high-level complaints and network problems on TalkTalk’s behalf, used the portal to gain unauthorised access to customer data – including names, addresses and phone numbers.

Information commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and it should have put its customers first.”

The investigation was launched after TalkTalk received complaints from customers who were receiving what they described as scam phone calls. However, the ICO said it did not find direct evidence of a link between the compromised information and the scam call complaints.

According to the investigation, 40 employees at Wipro had access to the data of between 25,000 and 50,000 TalkTalk customers, and three accounts linked to the firm were used to gain unlawful access to the data.

In a statement, a TalkTalk spokesman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third-party suppliers were abusing their access to non-financial customer data.

“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”

The ICO investigation said account holders could log into the portal from any internet-enabled devices and carry out broad searches that enabled them to view up to 500 customer records at a time.

The investigation said this level of access was “unjustifiably wide-ranging” and placed data at risk.

The incident is unrelated to the 2015 cyber attack on the telecoms giant when personal details of more than 150,000 customers were compromised, as well as partial financial information related to more than 15,000 customer accounts.

For that incident, the company was fined £400,000 for the security failings that allowed the attack to take place. The amount the ICO can fine companies for serious breach of data protection obligations is capped at £500,000.