Following an investigation, the ICO found that TalkTalk Telecom Group PLC has breached the Data Protection Act 1998 by allowing staff to have access to large quantities of customers’ data, which left data open to exploitation by rogue employees. The ICO opened the investigation due to many complaints from customers that they were receiving scam calls. It was found that employees of an IT services company used by TalkTalk exploited its access to TalkTalk’s customer portal by accessing the personal data of up to 21,000 people. As a result of TalkTalk’s lack of security measures, the ICO issued a fine of £100,000 and Information Commissioner Elizabeth Denham stated that “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first.”