The October 2015 data breach at TalkTalk, resulting in the theft of personal data of almost 157,000 customers and a record £400 000 fine, has been widely reported here and elsewhere. However, another serious breach has not been so widely reported.
TalkTalk began investigating in September 2014, after receiving complaints from customer that they were receiving scam calls; and discovered that personal details for up to 21 000 customers had been unlawfully accessed by employees of a third-party service provider. The ICO found that the level of access to the data was unjustifiably wide ranging and put the data at risk; and have now fined TalkTalk £100 000.
As before, the amount of the fine itself is not significant to a firm the size of TalkTalk; but the renewed public attention being focused on their lax security practices is certainly unwelcome. Bear in mind also that with the implementation of GDPR next year maximum fines increase to 4% of global revenues, which would be £73m for TalkTalk based on their 2016 results!