evievee09 - Fotolia

New TalkTalk fine takes total for poor data protection to £500,000

Information Commissioner’s Office fines TalkTalk for putting up to 21,000 customers’ details at risk of exposure prior to September 2014

TalkTalk has been issued with another fine for failing to look after customers’ data, 10 months after being hit with a record fine of £400,000.

The previous penalty was imposed in October 2016 for the cyber attack in 2015 that exposed the personal details of more than 150,000 customers, but TalkTalk has now received an additional fine of £100,000.

The latest fine is the result of an Information Commissioner’s Office (ICO) investigation that found TalkTalk had breached the Data Protection Act because a third party supplier allowed staff to have access to large quantities of customers’ data.

TalkTalk’s lack of adequate security measures left the data open to exploitation by rogue employees, the ICO said.

The breach came to light in September 2014 when TalkTalk began getting complaints from customers that they were receiving scam calls in which the scammers pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers.

Asked why the ICO had issued a fine now, so long after the fine for the 2015 breach, an ICO spokesperson told Computer Weekly there were two investigations that were totally different and separate, and that complicated cases typically take longer to finalise.

The ICO launched an investigation into how customers’ names, addresses, phone numbers and account numbers were compromised.

Although the investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls, it did uncover data protection issues with a TalkTalk portal through which customer information could be accessed.

One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved complaints and addressed network coverage problems. A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.

This meant 40 Wipro employees had had access to the data of between 25,000 and 50,000 TalkTalk customers and were able to log into the portal from any device, view up to 500 customer records at a time, carry out searches, and export data.

Read more about TalkTalk

  • TalkTalk has overhauled security since its controversial data breach in 2015, according to CTO Gary Steen, and is investing in technology to beat its rivals on customer service.
  • The Information Commissioner’s Office issues its largest ever data protection fine after more than 150,000 customers had their data exposed by TalkTalk breach.
  • Internet service provider TalkTalk throws down the gauntlet to its rivals by making a number of changes to its packages that it claims will put customers’ interests first.

The ICO found this level of access was unjustifiably wide-ranging and put the data at risk, showing that TalkTalk did not have appropriate measures in place to keep data secure.

Information commissioner Elizabeth Denham said TalkTalk should have known better and should have put its customers first.

“TalkTalk may consider themselves to be the victims here, but the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” she said.

The investigation found that TalkTalk should have been aware of the risks and that the misuse of personal data was likely to cause substantial damage or distress.

The ICO said the the company should also have been aware of the increasing prevalence of scams and attempted frauds and should have assessed the measures it had in place to mitigate against them.

According to the ICO, TalkTalk had ample opportunity over a long period of time to implement appropriate measures, but failed to do so. The company should have made sure the portal could only be accessed from authorised devices and could have taken steps to prevent large-scale accessing and exporting of personal data through the portal, the ICO said.

TalkTalk told Computer weekly that the company notified the ICO in 2014 of its suspicions that a small number of employees at one of its third party suppliers were abusing their access to non-financial customer data.  

 “We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident,” a spokesperson said.

 The £400,000 penalty was issued in October 2016 after the ICO found TalkTalk had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.

At the time, some commentators questioned whether even the maximum fine of £500,000 that the ICO could impose under the UK Data Protection Act was enough to make large organisations improve their security practices.

New legislation

Since then, the UK government has announced plans to introduce new data protection legislation in line with the EU’s General Data Protection Regualtion (GDPR) that will enable the ICO to impose fines of up to £17m or 4% of an organisation’s global turnover.

However, commenting on the increased fines, the information commissioner said issuing fines has always been, and will continue to be, a last resort.

Denham said the UK fought for increased powers when the GDPR was being drawn up because heavy fines for serious breaches reflect just how important personal data is in a 21st century world, but the ICO intends to use those powers proportionately and judiciously.

In May 2017, former TalkTalk CEO Dido Harding said the biggest lesson learned from the 2015 cyber attack was that TalkTalk and everyone else is not taking cyber security seriously enough.

“We thought we were taking it seriously, but of course we weren’t taking it seriously enough, and no one is,” she told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London. “A lot of business leaders are afraid of it, and want to delegate it down.”

The other big learning is that getting the basics right is really difficult, said Harding. “I don’t like the term cyber hygiene because it implies that those who haven’t got their hygiene right are stupid, but it is just darned hard to do,” she said.

However, Harding said that just by focusing on those basics, many companies, including TalkTalk, could have prevented a cyber attack.

“We were guilty of not knowing our total network footprint,” she said. “We were attacked on a website that was no longer being used, hadn’t being used by a company we had bought 10 years ago, and hadn’t been picked up by any of the due diligence done.

“Now you can argue that we should have found it, but we hadn’t. On that website, which was developed more than 10 years ago, there was an SQL injection vulnerability, which was obvious if you knew it existed – but we didn’t.”

Read more on Privacy and data protection