TalkTalk fined for exposing customers to scam risk
Communications firm TalkTalk has been fined £100,000 by the Information Commissioner’s Office (ICO), after an investigation found it had failed to protect customers’ data.
The fine follows a three-year investigation into the firm, after many of TalkTalk’s customers reported receiving scam calls from fraudsters posing as technical support staff.
The scam was particularly effective as the fraudsters were able to quote customers’ addresses and account numbers.
Elizabeth Denham, the information commissioner, said that TalkTalk’s failure to protect its customers had put thousands at risk of abuse by the malicious actions of just a small number of people.
She continued: “TalkTalk should have known better and they should have put their customers first.”
According to the ICO, the problem came from a TalkTalk portal through which users could access reams of information about individual customers. This portal was not sufficiently secure however.
Wipro, a multinational IT services company based in India had access to the portal, as it helped resolve high level complaints and network coverage problems on TalkTalk’s behalf. But the ICO found that three Wipro accounts had been used to gain unauthorised and unlawful access to personal details of as many as 21,000 customers.
In total 40 Wipro employees had access to the data of between 25,000 and 50,000 TalkTalk customers. No controls were put in place to restrict access to only devices linked to the firm; Wipro staff could access the portal from any internet-enabled device, while they could also view large numbers of customer records at a time and export data easily.
According to the ICO, TalkTalk should have been aware of the risks and that the misuse of personal data had the potential to cause substantial damage or distress, and should have taken measures to protect against potential scams and frauds.
This is the second time the ICO has fined TalkTalk over its insufficient protection of customer data, after the firm was whacked with a £400,000 fine – a new record – last October. That fine followed a cyber attack in 2015, in which account details of around 157,000 customers were stolen. At the time Denham said TalkTalk had failed to implement “the most basic cyber security measures”.