TalkTalk has been fined £100,000 by the Information Commissioner's Office (ICO) after the telecoms giant was found to have placed personal data from 21,000 customers at risk.
An ICO investigation found the company breached data protection laws after staff from an IT firm working with TalkTalk were able to access large amounts of customer data through an online company portal.
According to the investigation, "rogue" staff at Indian firm Wipro, who resolved high-level complaints and network problems on TalkTalk's behalf, used the portal to gain unauthorised access to customer data - including names, addresses and phone numbers.
Information Commissioner Elizabeth Denham said: "TalkTalk may consider themselves to be the victims here.
"But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.
"TalkTalk should have known better and they should have put their customers first."
The investigation was launched after TalkTalk received complaints from customers who were receiving what they described as scam phone calls, however the ICO said it did not find direct evidence of a link between the compromised information and the scam call complaints.
According to the investigation, 40 employees at Wipro had access to the data of between 25,000 and 50,000 TalkTalk customers, and three accounts linked to the firm were used to gain unlawful access to the data.
In a statement, a TalkTalk spokesman said: "We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third-party suppliers were abusing their access to non-financial customer data.
"We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India.
"We continue to take our customers' data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident."
The ICO investigation said account holders could log into the portal from any internet-enabled devices and carry out broad searches that enabled them to view up to 500 customer records at a time.
The investigation said this level of access was "unjustifiably wide-ranging" and placed data at risk.
The incident is unrelated to the 2015 cyber attack on the telecoms giant, when personal details of more than 150,000 customers were compromised, as well as partial financial information related to more than 15,000 customer accounts.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here