Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
As if the £400,000 fine last year was not enough, TalkTalk has been slapped with a £100,000 fine for reportedly breaching data protection laws over customer information.
Unlike the last fine which came off the back of countless customers’ information being exposed after a malicious hacking, TalkTalk is being fined for an alleged lack of information security, leaving customer data “open to exploitation by rogue employees.”
TalkTalk employees reportedly have access to a great deal of information, heightening the need for internal security measures.
This particular breach was discovered when customers reported complaints of calls from scammers. During these calls, scammers pretended to be support services, and in order to ‘verify’ their position, scammers reportedly quoted the customers’ own addresses and TalkTalk account numbers; information only TalkTalk and authorised agents should have access to.
The ICO investigated the complaints and found that TalkTalk was using a portal where employees could access customer data through a database. Access was shared with an Indian-based IT company Wipro, who are tasked with dealing with TalkTalk’s customer complaints and coverage problems. However, the level of access provided to Wipro is said to be unreasonably large, putting customers at risk.
Three employee accounts were found to have accessed personal information without authorisation for up to 21,000 TalkTalk customers. With such a vast amount of information at their fingertips, it was possibly inevitable that someone would break the rules and access information they had no right to.
The ICO found that “forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers”. The cause for concern is that, unless 50,000 customers wanted to complain about service or network, why would Wipro employees need access to such a great deal of information?
Wipro employees could also:
The level of access and lack of control over customer data was condemned by the ICO, viewing it as “unjustifiably wide-ranging and put the data at risk”. Whilst it may be easier to just give all employees unlimited access to all customer data, TalkTalk has a responsibility to uphold data protection rules to ensure the personal data they hold is not misused.
The Information Commissioner Elizabeth Denham warns that companies cannot shift data protection responsibilities to third parties and they must vet vendors to ensure they have a consistent level of security that matches or surpasses the company’s own measures.
Holding very little sympathy for TalkTalk, Denham stated:
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people… TalkTalk should have known better and they should have put their customers first.”
TalkTalk was therefore fined £100,000 for breaching the seventh principle of the Data Protection Act: for not having “appropriate technical or organisation measures in place to keep personal data secure“.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020