Fresh TalkTalk customer data found publicly available online

Information belongs to customers who were told they were unaffected by 2015 breach

TalkTalk logo on a phone

Telecoms provider TalkTalk failed to notify 4,454 of its customers that their sensitive data was leaked during its 2015 data breach, and instead led them to believe their data was safe, according to a new report.

The breach, which led to the theft of data including names, email addresses and payment information, was initially thought to have affected just under 157,000 customers.

However, following an investigation from BBC Watchdog Live, it was discovered that affected customers' information could be accessed through a Google search, data which is believed to have been publicly available online since the 2015 breach.

The details included names, addresses, email addresses, phone numbers, TalkTalk account numbers, payment information and dates of births.

A spokesperson for TalkTalk described the incident as a "genuine error" and has since contacted customers to apologise.

Advertisement - Article continues below
Advertisement - Article continues below

"The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach," said a TalkTalk spokesperson. "The 2015 incident impacted 4% of TalkTalk customers and at the time we wrote to all those impacted.

"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud," the spokesperson added. "A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise."

The Information Commissioner's Office (ICO) handed TalkTalk a 400,000 fine after the original security breach, setting a record at the time. The ICO was able to fine companies in breach of data protection rules and regulations up to 500,000 until the GDPR and Data Protection Act 2018 rules came into effect a year ago this week.

"This information raises concern and we will be making further enquiries with TalkTalk," said an ICO spokesperson, speaking to IT Pro. "Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and we will take enforcement action against those who willfully, negligently or persistently break the law."

We also asked the data protection watchdog if it would be taking any action against TalkTalk retrospectively, but it declined to clarify further.

Advertisement - Article continues below

Matthew Hanley and Connor Allsopp, both in their early twenties, pled guilty to the data breach in April 2017, and were sentenced to 12 months and eight months respectively. The data breach is said to have cost the company 77 million.

Following the initial 400,000 fine, the ICO issued TalkTalk with a further 100,000 fine for a separate data incident in 2014. In this case, employees were able to improperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020