British telecommunications firm TalkTalk has been hit with a £100,000 fine for failing to protect its customers' information in relation to a third-party data incident back in 2014, the UK's Information Commissioner's Office (ICO) announced on Thursday (10 August).
A probe concluded that TalkTalk had breached the Data Protection Act because it let company employees have access to "large quantities of customers' data" without having adequate security protections in place to ensure it wasn't abused by rouge members of staff.
The breach, not linked to the massive hacking attack in October 2015, came to light in September the year prior when TalkTalk started receiving complaints from customers about a spike in scam calls claiming to be providing support for technical issues.
In the calls, the ICO said, the scammers had access to customers' addresses and TalkTalk account numbers.
The investigation eventually found that three separate accounts linked to an IT services company in India – called Wipro – had been used to gain unauthorised and unlawful access to the data of 21,000 customers.
Additionally, 40 Wipro employees had access to data of between 25,000 and 50,000 TalkTalk customers and no controls were placed on the systems used to manage the records.
The incident was first reported to the UK watchdog on 11 September 2014.
"TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people," said information commissioner Elizabeth Denham in a statement.
"TalkTalk should have known better and they should have put their customers first."
The ICO said that TalkTalk "should have been aware of the increasing prevalence of scams and attempted frauds and should have assessed the measures it had in place to mitigate against them" and noted it had "ample opportunity" to change its internal systems.
The investigation did not, however, find direct evidence of a link between the compromised information and the complaints about scam calls. The fine must be paid to the office by 7 September 2017 but if received by 6 September the ICO would reduce the penalty by 20%, it said.
In a statement, a TalkTalk spokesperson told IBTimes UK: "We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.
"We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India.
"We continue to take our customers' data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident."
But Jan van Vliet, vice president at security firm Digital Guardian, said the explanation felt like "another case of too little too late".
"Is it really surprising that companies such as TalkTalk continue to suffer these data breaches when they stand to face such an insignificant fine, almost 3 years after the incident?" he noted.
"When the numbers of affected customers run into the thousands, you don't have to look too hard at existing security measures to question whether they are even remotely adequate for the task at hand. Big companies have been able to get away with lax security for years."
But that's not to say the cybersecurity incidents did not have consequences for TalkTalk.
In October 2016, it was fined a record £400,000 for a cybersecurity incident that occurred the year previous, when teenage hackers infiltrated its computer systems and accessed the records of more than 150,000 customers, with approximately 15,000 bank account numbers stolen.
In December last year, a 17-year-old boy who admitted involvement in the cyberattack was sentenced to a 12-month youth rehabilitation order. Based on company filings, it is believed that the cyberattack, which was widely covered in the press, cost the company £42m in total.