TalkTalk has failed to tell 4,500 customers that their financial details were involved in a past data breach.
According to a BBC Watchdog investigation, it took nothing more than a quick Google search to find information belonging to 4,545 customers.
The data in question has not been connected to a new security incident. Rather, it relates to a data breach suffered by the ISP in 2015 which was described as a "sustained cyberattack."
The publication says that the 4,545 customers impacted by the leak were told by TalkTalk that their details were not compromised. However, the BBC was able to find their full names, addresses, dates of birth, customer account numbers, telephone numbers, and financial information.
In total, during the 2015 cyberattack, the financial information of close to 157,000 customers was exposed, including account numbers and sort codes.
At the time, such security breaches could result in fines of up to £500,000 issued by the UK's Information Commissioner's Office (ICO) under the 1998 Data Protection Act (DPA).
TalkTalk was slammed with a record fine of £400,000 after the data watchdog found numerous failures and oversights in the telecoms provider's security practices.
Potential fines have now been raised to two percent of worldwide turnover or up to €10,000,000 under the new General Data Protection Regulation (GDPR) for similar data breaches.
The leaked information has likely been available online since 2015's security incident without the knowledge of its owners, an oversight that TalkTalk has called a "genuine error."
Impacted customers will receive a notice of the latest evidence of data exposure, alongside a written apology.
"A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident," TalkTalk told the BBC. "This was a genuine error and we have since written to all those impacted to apologize. 99.9 percent of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss."
Earlier this month, Canadian telecoms provider Freedom Mobile said an unsecured database exposed personal information belonging to roughly 15,000 customers. Researchers who reported the database said that the "totally unprotected" data cache contained information including names, addresses, IP addresses, and unencrypted financial data.
Previous and related coverage
- Freedom Mobile data breach impacts thousands of customers
- Wyzant online tutoring platform suffers data breach
- Failed blackmail attempt prompts hackers to leak ocean of data belonging to major companies
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0