back to article TalkTalk fined £100k for exposing personal sensitive info

Blighty's Information Commissioner’s Office has whacked TalkTalk with a £100,000 fine after the data of the records of 21,000 people were exposed to fraudsters in an Indian call centre. The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. …

  1. Lysenko

    Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here.

    TalkTalk outsource core security sensitive functions to an overseas contractor who they cannot effectively supervise or manage for reasons that (let's be honest here) have nothing to do with customer service and everything to do with executive bonuses and the regulator even entertains the notion that they could be regarded as anything other than a negligent co-perpetrator?

    I want to try some of whatever that lady is smoking.

    1. Anonymous Coward
      WTF?

      Re: Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here.

      Did you stop reading at that point? Here is the next line.

      "But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people."

      So no, she doesn't see Talk Talk as the victims.

      1. Lysenko

        Re: Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here.

        I read it which is why I said "entertains the notion that they could be regarded as..." rather than "stated that they are..."

        She essentially floats the idea that "TalkTalk" may regard themselves as victims and then proceeds to state that the customers whose data was abused have a stronger claim on that status. I disagree. The customers are the only victims (not relativistic "real" victims) and TalkTalk are perpetrators rather than a lesser or weaker class of victim (we don't generally fine victims).

        The nett effect is to imply that TalkTalk were passively negligent rather than activel culpable (which is the reality). When you decide to outsource sensitive personal data outside of the relevant EU data protection frameworks you are taking intentional, positive action to weaken the security of that data.

        1. VinceH

          Re: Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here.

          "She essentially floats the idea that "TalkTalk" may regard themselves as victims and then proceeds to state that the customers whose data was abused have a stronger claim on that status."

          The bit I've emphasised is important in interpreting what Denham said.

          She isn't suggesting that Talk Talk could be considered the victims - she is suggesting that Talk Talk might think that and then goes on to say (in essence) "But they aren't. If they do think that, they're wrong."

    2. Anonymous Coward
      Anonymous Coward

      Re: When I put your jewellery out in the street...

      I was totally the victim of it being stolen from my safety deposit service we offer.

  2. SkippyBing

    £100K

    Well that's going to show them. How much did they pay that Harding woman to f**k off? More than that I'd suspect.

    1. Phil O'Sophical Silver badge

      Re: £100K

      Exactly. TalkTalk has 955m shares in circulation, so a £100K fine is 0.01 pence per share. The "fine" means that TalkTalk shareholders will see a 0.1% reduction in their dividend. Completely meaningless.

      1. Tigra 07

        Re: £100K

        It's not completely meaningless as the customers will be paying the fine anyway.

        My predictions: Price rises coming soon for the customers and another fine or scandal at Talk Talk in the next 3 months.

    2. chivo243 Silver badge
      Headmaster

      Re: £100K

      100K really? Is TalkTalk run by one guy in his basement? It might hurt him, but a large company? C'mon!

      I bet a company like this can make 100k in interest just for cash in the bank... Where's the punishment?

      I have to doubt this fine won't even get paid... Taxes, losses, poor book keeping, deferment, promises, favors.

      pedant as he's befuddled too...

    3. strum

      Re: £100K

      > that Harding woman

      Well, that's a revealing phrase.

  3. Alister

    ...while there is no evidence that any of the data was passed on to third parties...

    Excuse me?

    What about this then?

    The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls.

    Doesn't that count as evidence?

    1. Locky

      Oh, they mean there's no proof that those calls came from THIS breech. It could have been from one of many...

    2. Anonymous Coward
      Anonymous Coward

      My thoughts exactly.

      I can't wait for talktalk to get a right shafting from the GDPR.

      1. Anonymous Coward
        Anonymous Coward

        You will be waiting a very very long time then. No organisation will be hit with anywhere near the maximum fines. We will see fines around the same levels we are seeing at the moment.

        1. Doctor Syntax Silver badge

          "No organisation will be hit with anywhere near the maximum fines. We will see fines around the same levels we are seeing at the moment."

          Citation needed

    3. Anonymous Coward
      Anonymous Coward

      ...while there is no evidence that any of the data was passed on to third parties...

      My mum is on Talk Talk (for various reasons) and was called 6 months ago by the Indian scam merchants saying they were from Talk Talk, spotting problems with her computer and wanted to help. She said "I don't believe you because Talk Talk have never wanted to help me in the past and I don't think they do now." She then hung up and they haven't called back yet. I can't help think this is somehow related.

      1. NonSSL-Login

        Re: ...while there is no evidence that any of the data was passed on to third parties...

        My parents still get the occasional scam TalkTalk call. They just say that a TalkTalk engineer is here with them now and would they like to talk to them, which makes them hang up every time.

  4. Tigra 07
    Meh

    Scam Talk

    "We continue to take our customers’ data and privacy incredibly seriously"

    You keep saying this Talk Talk but clearly don't know what it means. That or your definition of "seriously" is seriously shit

    1. Anonymous Coward
      Anonymous Coward

      Re: Scam Talk

      "We continue to take our customers’ data and privacy. Incredibly. Seriously!"

      Better now?

  5. Anonymous Coward
    Anonymous Coward

    Role based access control

    You may have heard of it.

    A shame GDPR isn't here yet. 4% of global revenue would have been a more fitting fine, methinks

    1. Anonymous Coward
      Anonymous Coward

      Re: Role based access control

      Downvote from me. They were fined £100,000 of a possible £500,000. 1/5th the maximum fine. The 4% fine would not be applied under the GDPR. Most likely then fine would still be the same amount. The maximum fine under GDPR is just that. A maximum. It would require a pretty major event to cause that fine to be applied.

      1. Doctor Syntax Silver badge

        Re: Role based access control

        "They were fined £100,000 of a possible £500,000. 1/5th the maximum fine. The 4% fine would not be applied under the GDPR. "

        Let's look at it another way. From their 2016 annual report let's take the headline income before various deductions as the turnover. That's £1,838m. 4% is £73.52m. Now apply a 1/5 maximum and that comes out to £14.7m. So taking the same % of the new maximum fine should be enough to get the board's attention.

        1. SEKURITEH

          Re: Role based access control

          That aint gonna happen though, from ICO's own site; https://twitter.com/ICOnews/status/895559132761255936

          GDPR allows for 4% whatever, but it's up to the ICO to decide how to enforce that. If you look past the marketers selling certs, courses, conferences and silver bullets and find actual DPA experts, there's a common consensus that these huge fines aint happening.

          1. Anonymous Coward
            Anonymous Coward

            Re: Role based access control

            But aren't people with Talk Talk because the price is good and wouldn't they, seeing the price, expect their personal info sometimes go Walk Walk?

            I mean, isn't it all factored in?

  6. adam payne

    Talk Talk the company that keeps on giving headlines.

    “TalkTalk should have known better and they should have put their customers first.”

    Should have but didn't.

    "A TalkTalk spokeswoman said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data."

    I seem to remember Talk Talk denying that there was a problem and if people were getting scam calls if wasn't because of them.

    "We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”

    Yeah i'm sure you take customer privacy very seriously, we have all seen how seriously you take it.

    Lack of evidence doesn't mean the data wasn't sold on.

  7. Mr Dogshit

    Dido's lament

    There, I said it again.

    1. h4rm0ny

      Re: Dido's lament

      Baroness Dido Harding has an absurd amount of personal connections to senior Conservative Party figures and others. She laughed all the way to the bank and suffered no meaningful consequences for any of the debacles of TalkTalk security. I doubt she has much to lament in this regard.

      Now if you'd said Dido's lamentable, I don't think anyone could challenge you on that!

      1. chivo243 Silver badge
        Devil

        Re: Dido's lament

        It's like you've read my comments from the big breach. The corporate dance is what it is... Get to the top and you'll never fall, only move laterally in times of crises, with a nice severance package.

        However, as she's well connected, she'll get some position worthy of her previous level...

  8. Aladdin Sane
    WTF?

    £4.76/customer.

    Less than the price of a McDonalds meal.

    1. John Brown (no body) Silver badge

      News from next month, "TalkTalk anounces unavoidable price increase of £1 per month per customer due operational cost increases"

      1. Doctor Syntax Silver badge

        News from next month, "TalkTalk anounces unavoidable price increase of £1 per month per customer due operational cost increases"

        Given that their ?only selling point is price there's a limit to the fines they can pass on.

  9. Steve Davies 3 Silver badge
    Mushroom

    India is not so cheap now is it?

    Perhaps a few more beancounters might like to consider this particular downside before sending all the jobs to India..

    No?

    Thought not. Perhaps you are too busy with a long lunch on the dime of another Indian outsourcer....

    Wanna try this for your next course [see icon]

    1. rmason

      Re: India is not so cheap now is it?

      You must be kidding?

      100k fine (+contract costs to india) Vs a properly setup local, in house function doing the same thing?

      Bargain.

      They know it can and will happen, and with the current fine structure they just don't care.

  10. Anonymous Coward
    Anonymous Coward

    Coor £100,000 bet they're really feeling that.

  11. kain preacher

    Quick way to stop this. Pass a law that every time they get fined no bonus can be paid out for 3 years.

    1. DJO Silver badge

      And double the maximum fine for every subsequent offence.

      1. kain preacher

        I was also thinking that every publicly traded company would need a compliance officer that can be criminally liable. The company could not take revenue if they have no compliance officer, And no they could not back bill the customers they would forfeit income till as such time the get an compliance officer. If the compliance officer say you should not do some thing or it could expose you and they are overruled, the person that made that decision would be criminally liable. If they say they can not find the person the company forfeits all income till such time the decision maker is found. If after 3 months no one is found then the company will be forced to stop trading. All assets seized and the company tossed into receivership. At that time a special masters will be appointed to decide if the company shall continue with s new management and board of directors or permanently cease trading. All corporate officers shall be bared from running a public company for five years. Both the corporate officers and the board members shall be barred from serving on any board of directors for 10 years .

  12. Anonymous Coward
    Anonymous Coward

    How much do your security incidents cost you?

    So the ICO think that the Single LOss Expectanc for a violation of principles 1,2 and 7 of the DPA is £4.76? I'm going to have to review my risk models.

  13. Douchus McBagg

    the 70+yr old Father in law was a victim of this. he got a "Support" phone call, "go to this site, install this software" etc etc, then when he asked them what they were doing, they got verbally abusive. he took a photo of the notepad window they had opened and the text they had typed. it was something nice like, "we now own your computer you <expeetive expleetive>, you kept asking questions so i'm going to <expletive> you" or something wonderful like that, from what I recall.

    fortunately he had the presence of mind to take the photo and just hold down the power button.

    It took his daughters naming and shaming talk talk on twitter before all of a sudden, his account was unlocked and password had been reset and he could access his account again as opposed to the hours of wasted time we'd spent previously on the phone trying to get him back into his account after this.

    When his laptop landed on my desk it would load the windows7 kernel, and then a picture that looked like a computer icon from win3.1/9x popped up in the middle of the screen with "a password is required to start your computer".

    did a full wipe and reload, god knows what crap they'd got installed on there. fortunately we had backups of anything important

    1. Anonymous Coward
      Anonymous Coward

      "the 70+yr old Father in law was a victim of this."

      And that story is the sort of horrible, exploitative instance that the law (courtesy, Retards of Parliament) and the ICO aren't taking account of when calculating the fines On its own, I'd have fined Talk Talk £100k for this example alone (and forced them to pay it to your dad).

      If I get some sub-continental crook phone me and try this on, I'd have some suitably rude verbiage back and hang up - that's a £10 fine per instance. But intimidating and frightening the vulnerable, that deserves not only a HUGE fine for Talk Talk, but also their CEO and chairman being given a ceremonial kick in the balls by an international rugby forward.

      1. clivejo

        Totally agree with you.

        It is very easy for older people to fall for these scams. They call you out of the blue, often displaying a UK caller ID number, know you are a Talk Talk customer and address you by name. These bar-stewards even mock up entire websites in order to convince their "mark" they are talking with someone at Talk Talk and sucker them into filling out forms which capture financial details. They will also remote control your computer and use any and all of their tricks to fool you into parting with your money (i.e. getting you to log into your online banking to check for a refund you are supposedly due, lock your computer with a password and hold it to ransom)

        I have personally been involved in shutting down several of these mock up sites. The last one was in December 2016. The problem is that it involves pretending to be a bit naive and fooling them into thinking you are falling for the scam. This takes time and effort (hours on the phone, allowing them to remotely connect to a VM running a fake OS), and I personally find it very hard suppressing the anger/rage at the lengths these people will sink to in order to scam you.

        Talk Talk should be refunding all these people who got scammed and be made pay compensation for the harassment these criminals give when they think they have got the upper hand (i.e. locking you out of your computer and holding it to ransom) I have received death threats, verbal abuse and been bombarded with calls from hostile scammers. But as far as I am concerned the longer I keep them on the phone to me, and more mock websites I get taken down, the less time they can spend conning someone out of their hard earned money.

  14. hatti

    No surprise

    And astoundingly, Talk Talk wonder why subscriptions are down. Double face palm

    1. Teiwaz

      Re: No surprise

      And astoundingly, Talk Talk wonder why subscriptions are down. Double face palm

      Within the week, they'll have marketing saps* camped outside many major Shopping Centres handing out Talk Talk leaflets to get replacement fodder customers to replace those that left over this - as they had within weeks of the last few customer data snafus that reached the media.

      * Poor bastards generally get laughed at openly by me if they try to approach me with a leaflet, but I dare say they'll find some poor uninformed persons...

      1. Doctor Syntax Silver badge

        Re: No surprise

        "Within the week, they'll have marketing saps* camped outside many major Shopping Centres"

        And if they appear at mine I'll explain loudly and at length why I changed a previous ISP after they took it over and why they're a laughing stock in the entire IT industry for their ineptitude.

        1. Anonymous Coward
          Anonymous Coward

          Re: No surprise

          And if they appear at mine I'll explain loudly and at length...

          Why? The herbert trying to sign you is just a temporary contractor trying to earn a modestly honest dollar. They don't know (or care) about Talk Talk's transgressions in past years. I suggest we leave the poor blighters alone.

          If you want to have it out with Talk Talk, then do it on their official Twitter and Facebook feeds, and then everybody else can enjoy it, and it'll be in Talk Talk's face.

          1. Doctor Syntax Silver badge

            Re: No surprise

            "Why?"

            So that potential customers get to hear.

            "If you want to have it out with Talk Talk, then do it on their official Twitter and Facebook feeds, and then everybody else can enjoy it, and it'll be in Talk Talk's face."

            Tempting, but not tempting enough for me to sign up to either Twitter or Facebook.

  15. Anonymous Coward
    Anonymous Coward

    WOW, under a fiver a piece, I can see a new business model for ISPs.

    What a joke.

  16. Anonymous Coward
    Anonymous Coward

    Out of India?

    That is a comical claim about "Moving call centres out of India". They may have moved, but to an even cheaper location. I think it is Thailand now. Some how they have found even worse quality.

    I have a client who lost £2000 to that original scam. A fake "TalkTalk" person phoned, and with some game playing, got his bank details from him. He never got the cash back.

    Had to deal with them again last month for a client... and they have got worse at not listening...

    £100,000 is nothing as a fine. Total joke.

    1. NonSSL-Login

      Re: Out of India?

      Philippines is a popular choice. Virgin media have centres there I believe.

      1. Andy Livingstone

        Re: Out of India?

        From personal experience the Philppines staff were unusual for Virgin Media in that they alone knew what they were doing and actually did it.

  17. Mage Silver badge

    Really!

    £4.76 per customer.

    The regulator needs to get a grip and fine about £200 per customer MINIMUM. £100K is a joke of a fine for such a company.

    The fines need to be PERSONAL to the Executives and Board, the people responsible, otherwise the cost is simply passed on to the customer and no incentive to change behaviour.

    Should apply to Councils, NHS trusts, Water Boards etc breaking rules/laws.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really!

      The regulator needs to get a grip and fine about £200 per customer MINIMUM.

      And paid to those affected, instead of being extra income for the Chancellor to waste.

      1. N2

        Re: Really!

        I agree entirely,

        The net affect of fining a company just punishes the customers through eventual price increases as shareholders cant possibly 'lose' 1p of dividend, can they?

    2. Destroy All Monsters Silver badge
      Windows

      Re: Really!

      The fines need to be PERSONAL to the Executives and Board

      I completely support that,

      I have seen what happens internally what happens when breaches are announced: SFA, only political game playing increases while C-tards congratulate themselves on being such hot shit that they will still reach yearly targets while the IT support section is a festering skeleton.

  18. Anonymous Coward
    Anonymous Coward

    Another 'outsource to India' success story!

    Amazing more companies don't do it.

  19. Colin Bull 1
    FAIL

    Lying arse wipes

    I had an engineering call with TalkTalk and then several spam calls that had my details offering to put my computer right. Sadly they kept telling me to hold control key down and press letter R which does not do much with Mint.

    I have never been informed by TalkTalk that my details had been leaked and therefore I am very sure the number of leaked customer details is closer to 200,000 than 21,000.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lying arse wipes

      "Sadly they kept telling me to hold control key down and press letter R which does not do much with Mint."

      It doesn't do much on Windows either.

      1. Anonymous Coward
        Joke

        control key down and press letter R

        Does it do anything with pirate copies??

        ARRRRRRRRRRR!!!!!

  20. clivejo
    WTF?

    Came to light in 2014?!

    This was brought to Talk Talks attention long before 2014 and they basically threatened customers with legal action to shut them up. I know that for a fact, because I was one of them! The following URL is a thread on their support forum back in 2010 from customers getting cold calls from people with Indian accents, pretending to be from TalkTalk and trying to scam them into thinking their PC needed "fixing".

    https://community.talktalk.co.uk/t5/Product-Archive/Talk-Talk-Sold-My-Number/m-p/498196

    Talk Talk are just the most useless excuse for a company I have ever have to deal with. This fine is peanuts to them. They just can't be trusted to tell the truth about anything or protect their customers data.

    What are they going to do for the customers who's details they just gave away to scammers/fraudsters?

    21,000 people (we are led to believe) have been harassed, threatened, called during anti-social hours and even conned out of millions of pounds due to Talk Talk and their total disregard and inability to protect customer information. Some of which have been putting up with this for years, including myself.

  21. Anonymous Coward
    Anonymous Coward

    Government Scam

    It's a good scam by the Government? Fine companies for breaking the law but don't compensate the victims of the crime.

  22. cortland

    Just BUY it

    http://www.iflscience.com/technology/judges-porn-habits-and-politicians-medication-found-in-anonymous-browsing-data/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like