Fresh TalkTalk customer data found publicly available online

Information belongs to customers who were told they were unaffected by 2015 breach

TalkTalk logo on a phone

Telecoms provider TalkTalk failed to notify 4,454 of its customers that their sensitive data was leaked during its 2015 data breach, and instead led them to believe their data was safe, according to a new report.

The breach, which led to the theft of data including names, email addresses and payment information, was initially thought to have affected just under 157,000 customers.

However, following an investigation from BBC Watchdog Live, it was discovered that affected customers' information could be accessed through a Google search, data which is believed to have been publicly available online since the 2015 breach.

The details included names, addresses, email addresses, phone numbers, TalkTalk account numbers, payment information and dates of births.

A spokesperson for TalkTalk described the incident as a "genuine error" and has since contacted customers to apologise.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach," said a TalkTalk spokesperson. "The 2015 incident impacted 4% of TalkTalk customers and at the time we wrote to all those impacted.

"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud," the spokesperson added. "A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise."

The Information Commissioner's Office (ICO) handed TalkTalk a 400,000 fine after the original security breach, setting a record at the time. The ICO was able to fine companies in breach of data protection rules and regulations up to 500,000 until the GDPR and Data Protection Act 2018 rules came into effect a year ago this week.

"This information raises concern and we will be making further enquiries with TalkTalk," said an ICO spokesperson, speaking to IT Pro. "Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and we will take enforcement action against those who willfully, negligently or persistently break the law."

We also asked the data protection watchdog if it would be taking any action against TalkTalk retrospectively, but it declined to clarify further.

Advertisement - Article continues below

Matthew Hanley and Connor Allsopp, both in their early twenties, pled guilty to the data breach in April 2017, and were sentenced to 12 months and eight months respectively. The data breach is said to have cost the company 77 million.

Following the initial 400,000 fine, the ICO issued TalkTalk with a further 100,000 fine for a separate data incident in 2014. In this case, employees were able to improperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/business/business-strategy/354304/ex-apple-cpu-architect-accuses-the-firm-of-invading-privacy
Business strategy

Ex-Apple CPU architect accuses the firm of invading privacy

10 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019