Data breach lawyer confirms thousands more TalkTalk customers could have claims for compensation
Thousands of TalkTalk customers are likely to have claims for compensation against TalkTalk after a BBC investigation found that their personal information, including bank account details, has been posted online.
Posted on 22 May 2019
In a programme due to be broadcast on BBC1 tonight, BBC Watchdog Live confirms that its investigations have revealed that the hacked personal information of over 4,500 TalkTalk customers, including their names, address, dates of birth, email addresses, TalkTalk account numbers, bank account numbers and sort codes, were, until very recently, available online and could be accessed through a Google search.
The information relating to TalkTalk customers appears to have been hacked in October 2015. The information was available online until the website was suspended earlier this week. It is not known how long the information had been available on the website, who has viewed or downloaded this information or whether the information has also been published elsewhere.
Watchdog have interviewed a number of TalkTalk customers whose personal details appeared online. They confirm that, in recent years, they have been subject to frequent scam calls and in some cases attempted fraud and identity theft, which has affected their credit rating.
TalkTalk have already been fined a total of half a million pounds in recent years by the Information Commissioner’s Office (ICO), the body responsible for upholding the information rights of the general public, for a succession of data breaches of the Data Protection Act.
Specifically, in October 2016, the ICO fined TalkTalk £400,000 for security failings that allowed a cyber-attack to access customer information between 15 and 21 October 2015, by taking advantage of technical weaknesses in TalkTalk’s systems. The attackers accessed the personal data of 156,959 customers including their names, addresses, dates of birth and, in 15,656 cases, the attackers also had access to bank account details and sort codes.
In August 2017, the ICO then fined TalkTalk a further £100,000 for failing to look after its customers’ data. The incident related to TalkTalk allowing unjustifiably wide-ranging access by external companies including Wipro, a multi-national IT services company in India that addressed complaints and coverage problems on TalkTalk’s behalf, to large quantities of customers’ data, including customers’ names, addresses, phone numbers and TalkTalk account numbers. TalkTalk’s own investigation found that three Wipro accounts had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers. The matter came to light in September 2014 when TalkTalk started receiving complaints from customers who were receiving scam calls from fraudsters pretending to be TalkTalk staff who could quote the customers’ personal details.
In relation to this latest incident, TalkTalk have told Watchdog that the information was hacked as part of the cyberattack in 2015 but, as a result of a genuine error, these 4,545 customers were wrongly told that they had not been affected. TalkTalk say that they have now written to these customers to inform them that they had been affected and to apologise. They have also stated that use of the hacked information, on its own, would not allow anyone to take money from affected customers’ accounts.
Sean Humber, a solicitor at Leigh Day specialising in information law and who is already acting for TalkTalk customers affected by these data breaches, commented:
“The results of Watchdog’s investigations are extremely worrying, given that they reveal that the personal details of over 4,500 TalkTalk customers have been published online. This is a particularly serious data breach because the hacked information includes details of customers’ bank account details and sort codes, leaving those affected at serious risk from fraudsters. Unfortunately, from initial investigations, it seems that criminals may well be using this hacked information to try and defraud customers by creating bogus accounts.
“Sadly, TalkTalk have a wholly unenviable track record of failing to keep their customers’ personal information safe. Their approach to the latest incident appears deeply complacent. That it takes a BBC investigation to reveal to TalkTalk that the personal data of over 4,500 of their own customers is available online beggars belief. Furthermore, while they have now, very belatedly, informed customers that they were affected by the 2015 cyberattack, they do not appear to have explained to them that their details were actually posted online.
“Customers whose personal details were posted online are likely to have very strong claims for compensation against TalkTalk for the failure to keep their personal information safe, whether they have suffered any direct financial loss or not.”