TalkTalk became aware something was up in September 2014 after customer complaints began rolling in. Scam callers had been targeting subscribers under the pretense of providing technical support, and knew their names, addresses, TalkTalk account numbers and, of course, their phone numbers. Ironically, these wannabe identity thieves had actually gleaned this information from a customer database belonging to Wipro, a company that resolves complaints and provides legitimate tech support on TalkTalk's behalf.
Upon lengthy investigation, TalkTalk discovered three Wipro employee accounts had been used to access customer details unlawfully. As it turned out, employees could access the data by logging in from any device with an internet connection, and simple search terms would allow staff to view and export the data of 500 customers at a time. It was this lax approach to data handling that the ICO found to be a breach of the Data Protection Act, hence the fine of £100,000 today.
This kind of breach is completely different to the "significant and sustained cyberattack" that hit the provider in 2015, but we imagine TalkTalk would just like to pay the piper and let us go back to forgetting this earlier breach ever happened.