TalkTalk data breach customer details found online
TalkTalk failed to inform 4,545 customers that their personal information, including bank account details, were stolen as part of the 2015 data breach.
Viewers contacted BBC Watchdog Live about concerns that their details had been breached by TalkTalk. But the company had told them that their details were not comprised.
“The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident,” the firm said.
The BBC consumer show investigated and found the personal details of approximately 4,500 customers available online after a Google search.
The details included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details for thousands of customers.
The information is likely to have been online since the breach, without the knowledge of the people affected.
The 2015 attack saw personal details of nearly 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers.
The Information Commissioner’s Office (ICO) conducted an investigation into the breach, finding multiple failings in TalkTalk’s security processes. As a reflection of ‘the seriousness of the event’, the ICO issued TalkTalk with a record fine of £400,000.
When presented with the findings of the BBC investigation, TalkTalk said it was a genuine error and that it has since written to all impacted customers to apologise.
“The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted,” the company said in a statement.
“In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.
“A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise; 99.9% of customers received the correct notification in 2015.
“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”