Just last month telecommunications business TalkTalk was fined £100,000 for failing to put in place security processes which would protect its customers from theft.
Even though no data breach occurred, The Information Commissioner’s Office (ICO) has fined TalkTalk Telecom Group PLC after it failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters.
In this blog we will cover why the fine occured and how it could have been prevented by an adequate EDM system.
Past Failings by TalkTalk
The recent fine comes only a year after the ICO fined TalkTalk a record £400,000 for failing to put in place security procedures that allowed a cyber attacker to access data “with ease”.
It concluded that TalkTalk failed to have in place the appropriate security measures to protect the personal data it was responsible for. This is a breach of the seventh principle of the Data Protection Act.
Going back to 2016, TalkTalk should have used this breach as an opportunity to put in place an adequate EDM system to prevent further fines and legal action against the company. In failing to do so, TalkTalk were fined further by the company, and may have eroded the remaining trust customers had in the company.
Reasons for the 2017 TalkTalk Fine
The recent fine, however, found that TalkTalk breached the Data Protection Act because it allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees.
The investigation found that the issue lay with a TalkTalk portal through which customer information was accessed. One of the companies that had access to the portal was Wipro, a multinational IT services company in India. After a specialist investigation, TalkTalk identified that three Wipro Accounts had been used to gain unauthorised and unlawful access to the personal data of up to 21,000.
How the Fine Could Have Been Prevented
If TalkTalk implemented adequate security processes which prevented access from unauthorised users, then the data would not have been at risk from a potential breach. An adequate system, such as the one provided by Dajon, could even go as far as to limit access down to field level. For TalkTalk this would mean that only staff with the highest level of security clearance could access personal data such as addresses, sort codes and bank account numbers, the remaining staff without security clearance could access the data but specific fields would be redacted or ‘hidden’ from view.
If you are worried about the security of your information, why not have a consultative conversation with Dajon via email@example.com or 020 7732 3223 to see how we can help ensure that your business processes do not put your security at risk.