The ICO found that TalkTalk had breached the Data Protection Act by allowing unjustifiably wide-ranging access by external companies including Wipro, a multi-national IT services company in India that addressed complaints and coverage problems on TalkTalk’s behalf, to large quantities of customers’ data. This data included the names, addresses, phone numbers and account numbers of TalkTalk customers. The ICO then found TalkTalk failed to have adequate security measures in place that left the data open to exploitation by rogue employees.

The ICO report referred to TalkTalk’s own investigation confirming that there had been unauthorised and unlawful access by Wipro user accounts of the personal information of up to 21,000 TalkTalk customers. The ICO found that TalkTalk breached the Data Protection Act by failing to have appropriate technical or organisational measures in place to keep its customers’ personal data secure.

At present, Leigh Day has been approached by over 50 customers who claim to have been scammed by fraudsters pretending to be TalkTalk staff. The fraudsters were able to gain the customers’ confidence by quoting their personal details, including their names, addresses and TalkTalk account numbers.

Having gained their trust, the fraudsters then took over the customers’ computers in order to “fix” supposed problems and then arranged for money to be taken from the customers’ bank accounts.

The ICO also recognised that the breach was of a kind likely to cause substantial damage or distress, including being likely to result in some affected customers being defrauded, although also stated that it did not find any direct evidence of a link between the compromised information and the scam calls.

Sean Humber, a solicitor at Leigh Day specialising in information law, commented:

“We welcome the ICO’s clear recognition of TalkTalk’s failure to protect its customers’ information leaving them at a huge risk of being targeted by fraudsters.

“Customers of all companies, particularly those that hold large amounts of customer data online, should be able to trust that their personal and private information is safe and well-protected.

“This trust was shattered by TalkTalk in their major breach of the Data Protection Act.

“The ICO recognised that this data breach was of a kind that likely to result in customers being scammed by fraudsters. After speaking to many TalkTalk customers who were victim of fraudsters pretending to be from TalkTalk and armed with their personal information, we consider that this is what in fact happened.

“We consider that those affected may have claims for compensation under the Data Protection Act and for a breach of their confidence by arguing that the losses suffered were caused by TalkTalk’s failure to keep their personal information secure.”