Fresh TalkTalk customer data found publicly available online

Information belongs to customers who were told they were unaffected by 2015 breach

TalkTalk logo on a phone

Telecoms provider TalkTalk failed to notify 4,454 of its customers that their sensitive data was leaked during its 2015 data breach, and instead led them to believe their data was safe, according to a new report.

The breach, which led to the theft of data including names, email addresses and payment information, was initially thought to have affected just under 157,000 customers.

However, following an investigation from BBC Watchdog Live, it was discovered that affected customers' information could be accessed through a Google search, data which is believed to have been publicly available online since the 2015 breach.

The details included names, addresses, email addresses, phone numbers, TalkTalk account numbers, payment information and dates of births.

A spokesperson for TalkTalk described the incident as a "genuine error" and has since contacted customers to apologise.

"The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach," said a TalkTalk spokesperson. "The 2015 incident impacted 4% of TalkTalk customers and at the time we wrote to all those impacted.

"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud," the spokesperson added. "A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise."

The Information Commissioner's Office (ICO) handed TalkTalk a 400,000 fine after the original security breach, setting a record at the time. The ICO was able to fine companies in breach of data protection rules and regulations up to 500,000 until the GDPR and Data Protection Act 2018 rules came into effect a year ago this week.

"This information raises concern and we will be making further enquiries with TalkTalk," said an ICO spokesperson, speaking to IT Pro. "Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and we will take enforcement action against those who willfully, negligently or persistently break the law."

We also asked the data protection watchdog if it would be taking any action against TalkTalk retrospectively, but it declined to clarify further.

Matthew Hanley and Connor Allsopp, both in their early twenties, pled guilty to the data breach in April 2017, and were sentenced to 12 months and eight months respectively. The data breach is said to have cost the company 77 million.

Following the initial 400,000 fine, the ICO issued TalkTalk with a further 100,000 fine for a separate data incident in 2014. In this case, employees were able to improperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021