TalkTalk data breach customer details found online

TalkTalk failed to inform 4,545 customers their personal information, including bank account details, were stolen as part of the 2015 data breach.

Viewers contacted BBC Watchdog Live about concerns that their details had been breached by TalkTalk.

But the company had told them that their details were not compromised.

"The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident," the firm said.

The BBC consumer show investigated and found the personal details of approximately 4,500 customers available online after a Google search.

The details included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details for thousands of customers.

The information is likely to have been online since the breach, without the knowledge of the people affected.

The 2015 attack saw personal details of nearly 157,000 customers accessed, including bank account numbers and sort codes of over 15,000 customers.

The Information Commissioner's Office (ICO) conducted an investigation into the breach, finding multiple failings in TalkTalk's security processes.

As a reflection of "the seriousness of the event", the ICO issued TalkTalk with a record fine of £400,000.

When presented with the findings of the BBC investigation, TalkTalk said it was a genuine error and that it has since written to all impacted customers to apologise.

"The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted," the company said in a statement.

"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.

"A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015.

"On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss."

For the last two years Alan, not his real name, has had his phone, email and bank account bombarded with a series of fraudulent attacks.

Whilst Alan will never know if the attacks were a direct result of the TalkTalk data breach, he feels the details leaked are enough to allow fraudsters to impersonate him.

Alan said he felt "extremely uncomfortable" after Watchdog Live showed him that they were able to find his bank account number, sort code and other personal information online.

"I think they've failed their customers on a gigantic scale," he added.

Watchdog Live also spoke to Maureen, not her real name, who was shocked to discover that her details were breached in 2015.

At the time, Maureen was told by TalkTalk that her details had not been stolen.

Maureen has been in touch with TalkTalk on multiple occasions, most recently in May of this year, to raise concerns that her details had been compromised.

But TalkTalk continued to insist that they hadn't. Watchdog Live's investigation found Maureen's sensitive data through a simple online search.

Maureen told the programme: "I've been asking this question since 2015. I'm suffering now for something that I know nothing, absolutely nothing, about.

"I knew something was not right and I kept insisting and they avoided every single time I asked the question 'have my details been compromised?'"

"If the data has come from TalkTalk then obviously we need to go and revisit all of these people who've been told that they weren't exposed and look at what they can do to rectify the harm," online security expert Scott Helme told the programme.

"We're never going to completely erase this data, but what we can do is try to reduce the impact of having lost the data."

Watchdog Live spoke to multiple people who were affected by the TalkTalk data breach.

They said they had been subject to frequent scam calls, and in some cases attempted fraud and identity theft, impacting their credit rating.

These people may never know if their experiences were a direct result of TalkTalk's data breach, or if their details could have been accessed some other way.

Using the information Watchdog found, a fraudster could sign up for services, set up direct debits and purchase goods on their victim's behalf, said Mr Helme.

He added that a scammer could also use this information to pretend to be the victim's bank, in order to gain other information about them.