The ICO has fined TalkTalk £100,000 for a breach of principle 7 of the Data Protection Act – the “security” principle.
It found that a third party company, contracted by TalkTalk, had wide access to customer data and that some of the third party accounts had been used to unlawfully access TalkTalk’s customer data.
The issue was brought to the attention of the ICO after complaints that TalkTalk customers had been receiving scam calls, using TalkTalk data to identify themselves.
You can read more about this breach and the subsequent ICO investigation on the ICO website, here.
This is a stark reminder to any business that you should (a) make sure suitable security is in place for systems storing personal data and (b) that you should only allow the minimal required access to those systems.