Reflection of surrounding buildings on RPC's building.

ICO issues TalkTalk monetary penalty notice for £100,000

Published on 18 December 2017

On 7 August 2017, the Information Commissioner’s Office fined TalkTalk £100,000 after an investigation found that it had failed to take adequate security measures to protect customer data from unauthorised access via web-based portal.

The facts

 In 2004, TalkTalk provided Wipro Limited (Wipro), a multinational IT services company that  resolved network issues on Talk Talk’s behalf, with access to a portal that contained the  personal information of between 25,000 and 50,000 customers. According to the  investigation, in 2014, certain employees of Wipro used the portal to gain unauthorised access  to customer data which included names, addresses and phone numbers.

 The decision

 The ICO’s investigation found that TalkTalk had failed to take due regard to: 

  • The state of technological development 
  • The cost of implementing any measures 
  • The nature of the customer data, and 
  • The harm that might result from its misuse. 

TalkTalk had therefore contravened the seventh principle of the DPA, by not ensuring that  appropriate technical and organisational measures had been taken to protect against  unauthorised or unlawful processing of personal data and against accidental loss or  destruction of, or damage to, personal data. The ICO found that TalkTalk had:

  • Provided 40 Wipro employees with access to the customer data without any controls in  place to either limit access to the customers themselves or to just the fields that were  actually required for Ofcom reporting 
  • Enabled Wipro employees to enable access to the portal from any internet-enabled device  rather than just to devices linked to Wipro, and 
  • Enabled Wipro employees to make “wildcard” searches, view large numbers of customer  records at any one time and to bulk download data (although there was no evidence that  this had occurred). There was no adequate justification for those capabilities.

The ICO considered that TalkTalk’s contravention comprised of a number of serious and  material inadequacies and that those inadequacies were systematic (from 2004 until 2014).  The ICO further said that TalkTalk ought to have been aware that a contravention would have  occurred; that it had failed to prevent this and that any such contravention was likely to cause  substantial damage and distress. In the light of this and the importance of deterring future  contraventions by TalkTalk and others, the ICO issued the monetary penalty under s55A of  the DPA. 

Why is this important?

It’s likely that data protection compliance was not at the front of mind of those negotiating the  original Wipro deal. After all, this was back in 2004. But the fine highlights just how alive  businesses (and lawyers) need to be to data regulation when outsourcing services to third  parties. It goes without saying that the stakes get much higher when the General Data  Protection Regulation (GDPR) comes into force, especially with the increased fining powers  for regulators.