U.K. Privacy Office Hits TalkTalk With $129K Data Breach Fine

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

The U.K. privacy office has fined TalkTalk Telecom Group Plc 100,000 pounds ($129,881) after employees at a support services contractor in India unlawfully accessed the personal data of 21,000 customers, the Information Commissioner’s Office announced Aug. 10.

The enforcement action demonstrates that regulator will hold primary companies liable for properly protecting customer data if they don’t protect it from abuse by contractors.

Some 40 employees at Bangalore-based information technology services company Wipro Ltd. obtained access to non-financial details of between 25,000 and 50,000 customers, including their names, addresses, phone numbers and account numbers, the ICO said. Wipro, which was contracted to handle customer complaints from TalkTalk customers and address network coverage issues, failed to put the necessary privacy controls in place to restrict access to Talk Talk’s information portal.

Those TalkTalk customers thereafter reported they had started receiving calls from scammers.

“TalkTalk may consider themselves to be the victims here,” Information Commissioner Elizabeth Denham said in a statement. “But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” she said.

TalkTalk provides landline and mobile phone, internet, and pay TV services in the U.K., and has a 20 percent share of the market in the U.K., according to Bloomberg data.

A spokeswoman for TalkTalk told Bloomberg BNA that the company notified the ICO in 2014 of its “suspicions that a small number of employees at one of our third-party suppliers were abusing their access to non-financial customer data.” The incident led TalkTalk to withdraw all of its customer services from India, she said.

Paul Glass, a partner in the disputes and investigations group at Taylor Wessing LLP in London, told Bloomberg BNA that companies in long-term relationships with third-party providers should be careful not to be lulled into privacy and data security complacency. TalkTalk had been working with Wipro for over a decade, he said.

Companies should continue to assess advances in technology and not delay installing privacy and security controls that may appear “disproportionate and expensive” at the moment, Glass said.

Risk of Fraud

TalkTalk’s spokewoman highlighted that “there is no evidence that any of the data was passed on to third parties” and the U. K.’s privacy office confirmed its investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls.

But the ICO also warned in its statement that the stolen data could have been used for fraud and caused substantial damage, citing that the breach came to light in September 2014 when TalkTalk customers started complaining they were receiving scam calls.

During the unsolicited calls, scammers typically pretended they were providing support for technical problems, quoting customers’ addresses and TalkTalk account numbers, the ICO said.

TalkTalk was hit in 2016 with a record 400,000 pounds ($520,097) fine for a separate breach after hackers accessed the personal data of about 150,000 TalkTalk customers.

To contact the reporter on this story: Donald Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The monetary penalty notice against TalkTalk is available at http://src.bna.com/ryK.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security