ICO fines TalkTalk £100k for data breach

Data watchdog found that the company failed to use adequate safeguards

TalkTalk

The ICO has fined TalkTalk 100,000 for failing to protect consumer data from hackers in 2014, when personal details of 21,000 customers were leaked into the public domain.

The regulator said TalkTalk had breached the Data Protection Act because it didn't safeguard the huge amounts of data it held about its customers from staff. Employees were able to imporperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.

The investigation revealed it was actually employees of Wipro, a third party company working with TalkTalk to resolve complaints about network coverage, that were able to access and swipe the data. The ICO found three Wipro accounts that had siphoned off the data, although 40 employees in total had access to the information.

"TalkTalk may consider themselves to be the victims here," Information Commissioner Elizabeth Denham said. "But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The ICO said TalkTalk's actions breached the seventh principle of the Data Protection Act because it didn't have the appropriate technical or operational safeguards in place to prevent employees from accessing the confidential information. This is despite the company being aware of regulations surrounding data protection and having ample time to fix the flaws.

"This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data," Nir Polak, CEO at Exabeam. "Had TalkTalk had a means to monitor the activities of employees and third parties, its incident response team could have spotted the inappropriate access to customer data."

Measures TalkTalk could have taken to prevent employees accessing the data include ensuring the portal where the customer details were stored could only be accessed from authorised devices and preventing anyone from accessing or exporting the information via the portal.

"Big companies have been able to get away with lax security for years," said Jan van Vliet, Digital Guardian's vice president and general manager for EMEA. "Thankfully, with the GDPR now on the horizon, the days for such complacency really are numbered. These businesses can expect to swap a 100,000 fine for data protection breaches for one in the millions."

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

5 Sep 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020