Following complaints from customers of scammers calling with personal details such as account numbers, TalkTalk’s investigators found that 3 employees at their subcontractor, Wipro, had used TalkTalk’s portal to gain unauthorised access to the personal data of 21,000 customers, Wipro had this access to deal with network problems, but the ICO were unimpressed with the lack of restrictions on Wipro staff accessing customer’s data. Wipro staff did not need to be on a work computer to access the portal and they could carry out “wildcard” searches using just an initial, which could allow them to view 500 customer records at a time.
TalkTalk were fined £100,000 by the ICO for failing to have appropriate technical or organisational measures in place to keep personal data secure. The ICO felt TalkTalk should have realised how vulnerable their system was to those trying to acquire large amounts of personal data for fraudulent use.
The case is a reminder to any firm on subcontracting work which involves data processing. You should not only consider your subcontractor’s policies, procedures and safeguards, but also review how they will interact with your systems and any vulnerabilities.
No doubt frustratingly for TalkTalk, had the case arisen after the introduction of the new EU’s General Data Protection Regulation (and UK’s Data Protection Bill which is to follow) Wipro could have been directly liable for breaches and fined. For further information on the new Bill please visit this article, and consider contacting Clarkslegal to discuss what you should be doing now to prepare.