Poor staff monitoring sees £100k fine for TalkTalk 21,000 record breach
Poor staff monitoring sees £100k fine for TalkTalk 21,000 record breach

Yesterday The Information Commissioner's Office (ICO) fined TalkTalk Telecom Group PLC £100,000 because it did not have appropriate technical or organisational measures in place to keep personal data secure, thus breaching the seventh principle of the Data Protection Act.

The ICO says it failed to look after its customers' data and risked it falling into the hands of scammers and fraudsters.  Staff were found to have access to large quantities of customers' data with lack of adequate security measures to prevent misuse.

Back in September2014 TalkTalk customers started complaining that they were receiving calls from scammers pretending they were providing support for technical problems. The scammers quoted customers' addresses and TalkTalk account numbers.

As a result The ICO launched an investigation into how customer details – names, addresses, phone numbers and account numbers – were compromised, and found it was due to a TalkTalk portal through which customer information could be accessed.

One organisation with access was Wipro, an India-based IT services company in India that resolved problems on TalkTalk's behalf.  Investigators identified three Wipro accounts used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. Forty Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers and were able to:

·         log in to the portal from any internet-enabled device. No controls were put in place to restrict access to devices linked to Wipro.

·         carry out “wildcard” searches – for example, entering “A*” to return all surnames beginning with that letter. This allowed staff to view large numbers of customer records at a time and to export data.

·         view up to 500 customer records at a time.

Information Commissioner Elizabeth Denham that TalkTalk should have put its customers first, commenting, “The real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.”

The ICO said TalkTalk should have been aware of the risks and had ample time to implement appropriate measures; the misuse of personal data was likely to cause substantial damage or distress but TalkTalk failed to make sure the portal could only be accessed from authorised devices and prevented large-scale accessing and exporting of personal data.

However, although it was logical to assume a connection, The ICO investigation failed to find direct evidence linking the compromised information and the complaints about scam calls.

 

Jan van Vliet, VP and GM, EMEA at Digital Guardian emailed SC to comment: "Is it really surprising that companies such as TalkTalk continue to suffer these data breaches when they stand to face such an insignificant fine, almost three years after the incident? When the numbers of affected customers run into the thousands, you don't have to look too hard at existing security measures to question whether they are even remotely adequate for the task at hand. Big companies have been able to get away with lax security for years. Thankfully, with the GDPR now on the horizon, the days for such complacency really are numbered. These businesses can expect to swap a £100,000 fine for data protection breaches for one in the millions.”

Nir Polak, CEO at Exabeam also emailed SC and went on to say:"This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data. Had TalkTalk had a means to monitor the activities of employees and third parties, its incident response team could have spotted the inappropriate access to customer data. Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation's security posture. 

To secure its data, TalkTalk should have been asking questions internally to clearly define best practices: what are the policies we need? who should be able to access which data? what access controls should be in place around information or systems?"