[BreachExchange] TalkTalk scam victims move closer to class-action lawsuit

Destry Winant destry at riskbasedsecurity.com
Mon Aug 21 08:32:41 EDT 2017


https://www.theguardian.com/money/2017/aug/19/talktalk-scam-victims-class-action-data-breach

Lawyers acting for around 50 people defrauded by scammers after a
major data breach at TalkTalk in 2014 are discussing their next move,
which victims hope could herald the start of legal action against the
broadband firm.

Last week the Information Commissioner’s Office (ICO) announced it was
fining TalkTalk £100,000 for failing to look after its customers’
data. The ICO said TalkTalk had breached data protection laws by
allowing unjustifiably wide-ranging access to its systems by external
companies, including Wipro, an Indian IT services firm it employed to
deal with complaints and coverage problems. Staff there had access to
large quantities of TalkTalk customers’ data including names,
addresses, phone numbers and account details.

The ICO report referred to 21,000 TalkTalk customers who’d had their
data breached. Fraudsters started to ring TalkTalk customers at home,
quoting their account numbers, and were able to convince them that
they were calling from the broadband firm. Customers, who were used to
talking to Indian staff at the telecoms firm, were told there were
internet problems that required a fix. The fraudsters conned the
customers into giving them access to their bank accounts to make a
£250 payment. Instead, they had their accounts cleaned out.

In 2015, Guardian Money featured the case of Graeme Smith who lived
near Chester-le-Street in County Durham. He lost £2,800 to fraudsters
who had obtained his account details. Since then several others have
come forward, some of whom have lost larger sums.

TalkTalk has consistently denied responsibility for the frauds,
arguing that these customers were duped in the same way as many others
are by frauds that plague UK consumers.

Lawyers acting for the victims had been waiting for the ICO to rule on
the data breach before starting legal proceedings. Sean Humber, a
solicitor at information law specialist Leigh Day, who is bringing the
group action, said his firm would be speaking to barristers shortly
“before we make a decision regarding the action”

“We welcome the ICO’s recognition of TalkTalk’s failure to protect its
customers’ information, leaving them at huge risk of being targeted by
fraudsters,” Humber said. “Customers of all companies, particularly
those that hold large amounts of data online, should be able to trust
that their personal and private information is safe.

“The ICO recognised that this data breach was of a kind likely to
result in customers being scammed. Those affected may have claims for
compensation under the Data Protection Act, and for a breach of their
confidence, by arguing that the losses suffered were caused by
TalkTalk’s failure to keep their personal information secure.”

TalkTalk said: “We notified the ICO in 2014 of our suspicions that a
small number of employees at one of our third-party suppliers were
abusing their access to non-financial customer data. We informed our
customers at the time and launched a thorough investigation, which has
led to us to withdraw all customer service operations from India. We
continue to take our customers’ data and privacy incredibly seriously,
and while there is no evidence that any of the data was passed on to
third parties, we apologise to those affected.”

TalkTalk customers who have been scammed can contact Leigh Day on 020
7650 1200, or by emailing shumber at leighday.co.uk or
abalasingam at leighday.co.uk


More information about the BreachExchange mailing list