TalkTalk fined £100k for exposing personal sensitive info
21,000 accounts handled by Indian outsourcing biz exposed
Blighty's Information Commissioner’s Office has whacked TalkTalk with a £100,000 fine after the data of the records of 21,000 people were exposed to fraudsters in an Indian call centre.
The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and TalkTalk account numbers.
The Register has documented the scam since February last year, which included customers being convinced to install a remote control software package via which they then deploy a trojan.
Fraudsters had breached maintenance visits data in order to convince customers to allow them remote access to their computers.
A probe by TalkTalk found an issue with the UK ISP's portal through which customer information could be accessed. One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf.
A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.
Forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers.
Staff were able to: log into the portal from any internet-enabled device, with no controls in place to restrict access to devices linked to Wipro.
They were also able to carry out “wildcard” searches – for example, entering “A*” to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at a time and to export data, potentially offsite, to view up to 500 customer records at a time.
The ICO found this level of access was unjustifiably wide-ranging and put the data at risk.
Information Commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.
“TalkTalk should have known better and they should have put their customers first.”
The ICO said it fined TalkTalk because it did not have appropriate technical or organisational measures in place to keep personal data secure.
A TalkTalk spokeswoman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.
"We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”
The Register has asked Wipro for a comment. ®
Sponsored: Becoming a Pragmatic Security Leader