ICO fines TalkTalk £100k for data breach

Data watchdog found that the company failed to use adequate safeguards

TalkTalk

The ICO has fined TalkTalk 100,000 for failing to protect consumer data from hackers in 2014, when personal details of 21,000 customers were leaked into the public domain.

The regulator said TalkTalk had breached the Data Protection Act because it didn't safeguard the huge amounts of data it held about its customers from staff. Employees were able to imporperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

The investigation revealed it was actually employees of Wipro, a third party company working with TalkTalk to resolve complaints about network coverage, that were able to access and swipe the data. The ICO found three Wipro accounts that had siphoned off the data, although 40 employees in total had access to the information.

"TalkTalk may consider themselves to be the victims here," Information Commissioner Elizabeth Denham said. "But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first."

The ICO said TalkTalk's actions breached the seventh principle of the Data Protection Act because it didn't have the appropriate technical or operational safeguards in place to prevent employees from accessing the confidential information. This is despite the company being aware of regulations surrounding data protection and having ample time to fix the flaws.

"This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data," Nir Polak, CEO at Exabeam. "Had TalkTalk had a means to monitor the activities of employees and third parties, its incident response team could have spotted the inappropriate access to customer data."

Measures TalkTalk could have taken to prevent employees accessing the data include ensuring the portal where the customer details were stored could only be accessed from authorised devices and preventing anyone from accessing or exporting the information via the portal.

"Big companies have been able to get away with lax security for years," said Jan van Vliet, Digital Guardian's vice president and general manager for EMEA. "Thankfully, with the GDPR now on the horizon, the days for such complacency really are numbered. These businesses can expect to swap a 100,000 fine for data protection breaches for one in the millions."

Featured Resources

Edge-enabled mobility of the future

Turning vehicle data into value

Download now

Modern networking for the borderless enterprise

Five ways top organisations are optimising networking at the edge

Download now

Address multi-cloud configuration risks

Cloud security challenges and how to overcome them

Watch now

The total economic impact of IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify

Download now

Recommended

How to enable private browsing on any device
privacy

How to enable private browsing on any device

8 Mar 2021
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

5 Mar 2021
IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021

Most Popular

UK gov flip-flops on remote work, wants it a standard for all jobs
flexible working

UK gov flip-flops on remote work, wants it a standard for all jobs

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021