As if the £400,000 fine last year was not enough, TalkTalk has been slapped with a £100,000 fine for reportedly breaching data protection laws over customer information.
Unlike the last fine which came off the back of countless customers’ information being exposed after a malicious hacking, TalkTalk is being fined for an alleged lack of information security, leaving customer data “open to exploitation by rogue employees.”
TalkTalk employees reportedly have access to a great deal of information, heightening the need for internal security measures.
The latest issue
This particular breach was discovered when customers reported complaints of calls from scammers. During these calls, scammers pretended to be support services, and in order to ‘verify’ their position, scammers reportedly quoted the customers’ own addresses and TalkTalk account numbers; information only TalkTalk and authorised agents should have access to.
The ICO investigated the complaints and found that TalkTalk was using a portal where employees could access customer data through a database. Access was shared with an Indian-based IT company Wipro, who are tasked with dealing with TalkTalk’s customer complaints and coverage problems. However, the level of access provided to Wipro is said to be unreasonably large, putting customers at risk.
Unauthorised access confirmed
Three employee accounts were found to have accessed personal information without authorisation for up to 21,000 TalkTalk customers. With such a vast amount of information at their fingertips, it was possibly inevitable that someone would break the rules and access information they had no right to.
The ICO found that “forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers”. The cause for concern is that, unless 50,000 customers wanted to complain about service or network, why would Wipro employees need access to such a great deal of information?
There’s more…
Wipro employees could also:
- Log in to the portal from any device that has internet access, with no restrictions. This included connecting remotely, meaning employees could access customer databases from their homes;
- Make “wildcard” searches to filter through customers;
- View up to 500 customer records at a time.
The level of access and lack of control over customer data was condemned by the ICO, viewing it as “unjustifiably wide-ranging and put the data at risk”. Whilst it may be easier to just give all employees unlimited access to all customer data, TalkTalk has a responsibility to uphold data protection rules to ensure the personal data they hold is not misused.
Stern warnings from the ICO
The Information Commissioner Elizabeth Denham warns that companies cannot shift data protection responsibilities to third parties and they must vet vendors to ensure they have a consistent level of security that matches or surpasses the company’s own measures.
Holding very little sympathy for TalkTalk, Denham stated:
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people… TalkTalk should have known better and they should have put their customers first.”
TalkTalk was therefore fined £100,000 for breaching the seventh principle of the Data Protection Act: for not having “appropriate technical or organisation measures in place to keep personal data secure“.