Carphone Warehouse and TalkTalk could face prosecution if they do not improve their data protection, after the companies were accused of mishandling customers' personal data.
The Information Commissioner's Office (ICO) said the mobile phone firm and its broadband company breached the Data Protection Act when they opened customer accounts in the wrong name and sent incorrect information to credit reference agencies and debt collectors.
The ICO said security issues displayed account details online, and that the two companies had not responded to requests by individuals for the information held on them - a key tenet of the act.
Mick Gorrill, assistant commissioner at the ICO, said: "The Data Protection Act gives us all important rights, including the right to correct inaccurate information and to find out what information an organisation holds on us. Organisations that process personal information must comply with the act and, where we find that this is not the case, the ICO will take enforcement action."
He added: "Carphone Warehouse and TalkTalk's use of inaccurate and incorrect personal data has caused real damage and distress to customers. We have now ordered them to take the necessary steps to ensure customers' personal information is sufficiently protected."
The firms were sent enforcement notices, ordering them to improve their data protection management. Not complying with such notices is a criminal offence - and the ICO stressed it may take further action against the two firms if it isn't satisfied with their response.
A spokesperson for Carphone Warehouse said: "We are aware that a very small number of our customers raised concerns with the ICO some time ago. The issues were primarily caused by the significant interest in TalkTalk's introduction of free broadband, over 18 months ago."
"We take these matters very seriously indeed, and as soon as these concerns were brought to our attention we took immediate steps to resolve them and to ensure we are fully compliant with the Data Protection Act," the spokesperson said. "We apologise for any inconvenience that may have been caused and we will continue to work with the ICO in meeting and exceeding their expectations in this and any other respect."
