20.5k unique visitors in the last 3 days

Big Fine for TalkTalk Data Protection Failure

The UK's Information Commission issued a GBP100,000 (USD130,000) penalty after it was found TalkTalk allowed Wipro staff to have excessive access to customer data.

It seems that the UK’s Information Commissioner (ICO) is getting into the habit of fining TalkTalk, the multiplay telco with an unenviable reputation for compromising customer data. The Commissioner has fined TalkTalk GBP100,000 (USD130,000) for not complying with the UK’s Data Protection Act. Per ICO’s press release:

An ICO investigation found TalkTalk breached the Data Protection Act because it allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees.

This wording is sloppy, because the ‘investigation’ actually found the data was liable to exploitation by the employees of Wipro, a supplier to TalkTalk. Per the official penalty notice:

TalkTalk provided 40 Wipro employees with access to the relevant personal data of between 25,000 to 50,000 (sic) through the portal. [Presumably these numbers refer to customers.] No controls were put in place to limit access to the customers whose accounts were being worked on…

TalkTalk’s failings will hardly be news to customers, or even to the UK press. Wipro employees who sold TalkTalk customer data were arrested in 2016, and the many victims of the resulting ‘industrial-scale’ scams have received widespread coverage. One pertinent question raised by those victims is why ICO’s ‘investigations’ take so long; the relevant concerns were brought to ICO’s attention in 2015. But after two years of ‘investigation’ ICO was still not able to identify any link between weak data protection controls and the surge in scams blighting TalkTalk customers. ICO’s press release noted:

The ICO investigation did not find direct evidence of a link between the compromised information and the complaints about scam calls.

This story has many familiar features. A business is repeatedly caught failing to comply with rules designed to protect customer data, but only after customers suffer. If no customers suffered, then nobody would have known about the company’s non-compliance. Even when customers start howling about scams it takes years for the data protection authority to ‘investigate’ what went wrong, and that authority is incapable of proving anything beyond the weaknesses that the business has told them about. Those weaknesses reveal a non-compliance with a general principle, begging the question of what is an appropriate fine when there must be many other firms also failing to comply with non-specific principles. The quantitative decision of choosing the scale of the penalty contrasts with the subjective, imprecise and qualitative wording of the rule that was broken. However, the data protection authority finally has the courage to take ‘action’ because of all the negative publicity already generated.

In other words, data protection law can be used to punish businesses that fail to protect customer data, but only two years after the data has already been compromised, and ten years after the flaw which led to the breach was first identified by a business which decided to do nothing about it. Is it any wonder that we will keep hearing about breaches and fines when the apparatus for ‘protecting’ people is always so far behind? What this story really confirms is that the compliance mindset is inadequate. Ethical businesses need to proactively safeguard customer data without waiting to be told how, when or why.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email