TalkTalk has been fined £100,000 after data belonging to 21,000 customers was exposed to “rogue” staff at a call centre in India.
The UK data watchdog found three employees from Indian tech firm Wipro, which TalkTalk hired to resolve complaints and network problems, had gained “unauthorised and unlawful access” to customer data in late 2014.
The fine takes the firm’s penalties to £500,000, including a record £400,000 fine last year over a hacking attack that saw information for 157,000 customers compromised in October 2015.
Forty Wipro employees had “unjustifiably wide-ranging” access to data belonging to between 25,000 and 50,000 TalkTalk customers, said the Information Commissioner’s Office.
Three of those accounts were then used to illegally access data of up to 21,000 customers.
A TalkTalk spokesman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third-party suppliers were abusing their access to non-financial customer data.
“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India.”
Customers had complained of calls from scammers identifying themselves as TalkTalk engineers.
They said the scammers had information that was only accessible to the company, including details of previous support calls, and used this to gain their trust.
Issuing the fine, the Information Commissioner’s Office said it did not find any direct evidence of a link between the information accessed by Wipro staff and the complaints about scam calls.
The commissioner, Elizabeth Denham, said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.
“TalkTalk should have known better and they should have put their customers first.”
Source: Sky News