ICO says TalkTalk didn’t do enough to stop criminals in Indian call centre from accessing huge amounts of customer data
TalkTalk has been fined £100,000 for a breach of the Data Protection Act that allowed scammers to access large amounts of customer data for use in phone-based phishing attacks.
Customers started complaining in September 2014 they were receiving scam calls purporting to be from TalkTalk to solve a technical issue.
In some cases, the calls followed a genuine engineering visit, and the scammers were able to give customer addresses and account numbers, helping to give legitimacy to their claim.
The customers, who were told TalkTalk needed to conduct tests or fix a fault remotely, were then requested to download software that would give the criminals remote access to the computers. The attackers then attempted to change passwords or steal money.
In one case, the customer was able to shut down his PC in time, but another had £300 stolen from her PayPal account, although this was refunded by her bank.
An Information Commissioner’s Office (ICO) investigation found that a portal used by customer service representatives had no measures in place to limit the amount of information a rogue employee could access or on what device it could be viewed on.
Staff could login whenever they wanted and were able to view as many as 500 records at any time – far more than they would need to perform their customer service roles
It was discovered that three accounts belonging to Indian IT services provider WiPro, one of TalkTalk’s third party providers, unlawfully accessed as many as 21,000 customers. In total, 44 members of staff were able to see the records of between 25,000 and 50,000 customers.
The ICO said TalkTalk had “ample” time to implement appropriate measures but didn’t do so.
What is your biggest cybersecurity concern?
- Ransomware (28%)
- Humans / Social Engineering (27%)
- State sponsored hackers (14%)
- Malware (14%)
- Other (7%)
- Out of date tools (6%)
- DDoS (4%)
Data protection act
“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people,” said Information Commissioner Elizabeth Denham. “TalkTalk should have known better and they should have put their customers first.”
“We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data,” a TalkTalk spokesperson told Silicon.
“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”
The incident predates the catastrophic cyberattack sustained by the company in October 2015. The scale of the assault was less than originally feared, but 1.2 million email addresses, names and phone numbers were stolen, as were 21,000 account numbers and sort codes and 28,000 partial card details.
However, TalkTalk maintained that the data stolen was not sufficient for the attackers to steal money.
TalkTalk was fined a then-record £400,000 by the ICO for that incident and cost the company 101,000 customers and £60 million in lost revenue.
At present, the ICO is only able to fine firms up to £500,000, but under new rules it would be able to apply a penalty of up to £17 million or four percent of global turnover.
Do you know all about security in 2017? Try our quiz!