TalkTalk has been on the receiving end of another hefty fine, this time the ICO has demanded £100,000 in response to cybersecurity deficiencies which led to the unlawful access of 21,000 customers’ accounts.
The ISP was first made aware of the problems in 2014, when customers contacted it complaining of receiving tech support scam phone calls from people quoting their TalkTalk account numbers and addresses.
After investigating, the ICO found the problem lay with a portal used by staff from outsourcer Wipro to access customer info.
However, ignoring the best practice of “least privilege” access controls, TalkTalk allowed 40 Wipro employees to access data on between 25,000 and 50,000 customers.
Not only that, but the Wipro staff were able to log in from any internet-enabled device, view 500 records at a time and conduct “wildcard” searches, allowing them to view and export large volumes of data at a time.
TalkTalk claimed in January 2016 that three Wipro employees had been arrested by Kolkata police.
According to the ICO, TalkTalk had a long period of time in which to tighten security; for example, ensuring the portal could only be accessed from authorized devices, and preventing large-scale access and exporting of the data.
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” said information commissioner Elizabeth Denham, in a statement.
“TalkTalk should have known better and they should have put their customers first.”
This isn’t the first fine TalkTalk has been handed by the privacy watchdog. It was on the receiving end of a £400,000 penalty following a major data breach in 2015 which exposed the personal details of over 156,000 customers.
The ISP is lucky that these two incidents happened when it did, given the GDPR will levy fines of up to €20m or 4% of global annual turnover when it comes into force next May.