Personal data of TalkTalk breach victims discovered online

In 2015, news broke of a hack on TalkTalk, which compromised the personal data of 155,959 of the telecommunications firm’s customers, including 15,656 who had their bank details hacked.

Reports now reveal that TalkTalk did not notify 4,545 of these customers that their personal data had been stolen, after viewers of the BBC consumer programme, Watchdog Live, contacted the show to complain that their details had been breached.

TalkTalk has underlined that the new complaints relate to the breach from four years ago, and not to any new data breach incident. Subsequent to the complaints, a BBC investigation found that the personal data of 4,500 of the phone company’s customers were available online following a simple search through Google.

Among the items of data exposed were full names, residential addresses, email addresses, birth dates, TalkTalk customer codes, mobile phone numbers and financial details – all data that has probably been online since the original breach.

At the time, the Information Commissioner’s Office (ICO) looked into the situation to conclude that TalkTalk had fallen short in a number of security process standards, with the transgressions eventually earning the company a fine of £400,000.

Responding to the BBC investigation, TalkTalk said that the discovery related to an honest mistake, and that all customers involved had now been contacted and apologised to.

In a statement, TalkTalk said:

“The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted.

“In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.

“A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015.

“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

One of the customers caught up in the breach said his phone, email and bank account had come under heavy attack by fraudsters over the last three years, stating:

“I think they’ve failed their customers on a gigantic scale.”

Another victim spoke of her shock of learning that her details had been breached in 2015. She told BBC Watchdog:

“I’ve been asking this question since 2015. I’m suffering now for something that I know nothing, absolutely nothing, about.

“I knew something was not right and I kept insisting and they avoided every single time I asked the question ‘have my details been compromised?’”

Cyber security expert, Scott Helme told BBC Watchdog:

“We’re never going to completely erase this data, but what we can do is try to reduce the impact of having lost the data.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.