ICO fines TalkTalk £100k for data breach
Data watchdog found that the company failed to use adequate safeguards
The ICO has fined TalkTalk 100,000 for failing to protect consumer data from hackers in 2014, when personal details of 21,000 customers were leaked into the public domain.
The regulator said TalkTalk had breached the Data Protection Act because it didn't safeguard the huge amounts of data it held about its customers from staff. Employees were able to imporperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.
The investigation revealed it was actually employees of Wipro, a third party company working with TalkTalk to resolve complaints about network coverage, that were able to access and swipe the data. The ICO found three Wipro accounts that had siphoned off the data, although 40 employees in total had access to the information.
"TalkTalk may consider themselves to be the victims here," Information Commissioner Elizabeth Denham said. "But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first."
The ICO said TalkTalk's actions breached the seventh principle of the Data Protection Act because it didn't have the appropriate technical or operational safeguards in place to prevent employees from accessing the confidential information. This is despite the company being aware of regulations surrounding data protection and having ample time to fix the flaws.
"This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data," Nir Polak, CEO at Exabeam. "Had TalkTalk had a means to monitor the activities of employees and third parties, its incident response team could have spotted the inappropriate access to customer data."
Measures TalkTalk could have taken to prevent employees accessing the data include ensuring the portal where the customer details were stored could only be accessed from authorised devices and preventing anyone from accessing or exporting the information via the portal.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Big companies have been able to get away with lax security for years," said Jan van Vliet, Digital Guardian's vice president and general manager for EMEA. "Thankfully, with the GDPR now on the horizon, the days for such complacency really are numbered. These businesses can expect to swap a 100,000 fine for data protection breaches for one in the millions."
TalkTalk hack: Two men plead guilty to TalkTalk hack GDPR preparation: 2018 data protection changes General Data Protection Regulation (GDPR)
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.