The Information Commissioner's Office (ICO) has fined TalkTalk for failing to hold customer data securely. A large amount of customer data was accessible on a TalkTalk portal to an external company, Wipro Limited (Wipro), who provided assistance with resolving complaints and network coverage problems. The access was provided without sufficient security or access restrictions.
TalkTalk carried out an internal investigation following customer complaints of scam callers pretending to be providing technical support and in possession of their TalkTalk account number. The investigation uncovered that three of Wipro's employees had misused their right to the data on the portal and unlawfully gained access to the details of up to 21,000 individuals. Although no causal link was found between the unauthorised access and these calls, the ICO found that TalkTalk had breached its duty to have appropriate safeguards in place around customers' data on the platform.
The ICO found three major concerns in respect of the forty Wipro employees with access to the portal. First, while the portal had controlled access by the use of log-in details, there were no controls over the devices that could connect to the portal. Second, there was no restriction on the data accessible to the Wipro staff, i.e restrictions to specific customers as required, instead some 25,000 to 50,000 customer records were available to the Wipro employees. Third, the Wipro employees could make wildcard searches capable of generating up to 500 records at any one time. The ICO found that this level of access was unacceptable.
The ICO fined TalkTalk £100,000 for breaching the seventh principle of the Data Protection Act, failing to take adequate measures to keep personal data secure.
Click here to read the monetary penalty in full.