Enough time has passed that TalkTalk has bounced back from its reputation-damaging data debacle of 2015, which saw hackers steal the personal details of over 150,000 of its customers. That earned the company a £400,000 fine from the UK's Information Commissioner's Office (ICO), and today an older data breach in 2014 has cost the company an additional £100,000. The ICO has handed TalkTalk the invoice as a slap on the wrist for failing to adequately protect customer details after third-party support staff were found to have gained "unauthorised and unlawful access to the personal data of up to 21,000 customers."
TalkTalk became aware something was up in September 2014 after customer complaints began rolling in. Scam callers had been targeting subscribers under the pretense of providing technical support, and knew their names, addresses, TalkTalk account numbers and, of course, their phone numbers. Ironically, these wannabe identity thieves had actually gleaned this information from a customer database belonging to Wipro, a company that resolves complaints and provides legitimate tech support on TalkTalk's behalf.
Upon lengthy investigation, TalkTalk discovered three Wipro employee accounts had been used to access customer details unlawfully. As it turned out, employees could access the data by logging in from any device with an internet connection, and simple search terms would allow staff to view and export the data of 500 customers at a time. It was this lax approach to data handling that the ICO found to be a breach of the Data Protection Act, hence the fine of £100,000 today.
This kind of breach is completely different to the "significant and sustained cyberattack" that hit the provider in 2015, but we imagine TalkTalk would just like to pay the piper and let us go back to forgetting this earlier breach ever happened.