On 7th August 2017 The Information Commissioner's Office (ICO) fined TalkTalk £100,000 for leaving its customers' data open to exploitation when sharing the information with a third party. This is the company’s second major fine in a year for failing to protect customers' information from scammers.
The ICO reprimanded the firm and said TalkTalk should have been aware of the risks, which it had failed to mitigate despite having "ample opportunity over a long period".
The penalty is a result of a three year investigation into the protections TalkTalk had in place when sharing data with its customer service outsourcer Wipro.
The breach initially came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ names, addresses and TalkTalk account numbers.
The issue lay with a TalkTalk portal through which customer information could be accessed. A specialist investigation by the ICO identified three Wipro accounts that had been used to gain unauthorised and unlawful access to excessive amounts of personal data of up to 21,000 customers.
However, The ICO investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls.
The data protection principles outlined in the Data Protection Act 1998 include that;
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data.’
It is the duty of a data controller, in this case TalkTalk, to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. There has thus been a clear contravention of the Data Protection Act and deviation from its principles.
This is the second time TalkTalk have been subject to ICO enforcement with the Watchdog issuing a record £400,000 monetary penalty last year for failing to protect its customers' details from cyber criminals.
Information Commissioner Elizabeth Denham said:
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better!”
If you need advice on regulatory compliance, are being investigated or would like to appeal against enforcement please do not hesitate to contact Andrew Swan - Head of Regulation and Financial Crime or Sheila Ramshaw- Specialist in Regulation at Short, Richardson & Forth on 0191 232 0283.