Fresh TalkTalk customer data found publicly available online

Information belongs to customers who were told they were unaffected by 2015 breach

TalkTalk logo on a phone

Telecoms provider TalkTalk failed to notify 4,454 of its customers that their sensitive data was leaked during its 2015 data breach, and instead led them to believe their data was safe, according to a new report.

The breach, which led to the theft of data including names, email addresses and payment information, was initially thought to have affected just under 157,000 customers.

However, following an investigation from BBC Watchdog Live, it was discovered that affected customers' information could be accessed through a Google search, data which is believed to have been publicly available online since the 2015 breach.

The details included names, addresses, email addresses, phone numbers, TalkTalk account numbers, payment information and dates of births.

A spokesperson for TalkTalk described the incident as a "genuine error" and has since contacted customers to apologise.

"The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach," said a TalkTalk spokesperson. "The 2015 incident impacted 4% of TalkTalk customers and at the time we wrote to all those impacted.

"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud," the spokesperson added. "A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise."

The Information Commissioner's Office (ICO) handed TalkTalk a 400,000 fine after the original security breach, setting a record at the time. The ICO was able to fine companies in breach of data protection rules and regulations up to 500,000 until the GDPR and Data Protection Act 2018 rules came into effect a year ago this week.

"This information raises concern and we will be making further enquiries with TalkTalk," said an ICO spokesperson, speaking to IT Pro. "Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and we will take enforcement action against those who willfully, negligently or persistently break the law."

We also asked the data protection watchdog if it would be taking any action against TalkTalk retrospectively, but it declined to clarify further.

Matthew Hanley and Connor Allsopp, both in their early twenties, pled guilty to the data breach in April 2017, and were sentenced to 12 months and eight months respectively. The data breach is said to have cost the company 77 million.

Following the initial 400,000 fine, the ICO issued TalkTalk with a further 100,000 fine for a separate data incident in 2014. In this case, employees were able to improperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020