27 Jan 2016

Arrests at TalkTalk subcontractor over personal data breaches

“Fill out the form and hit submit.” It’s the kind of request that accompanies so many of our website visits.

But when you hit the button, who exactly gets hold of your personal details and what can they do with them?

In the past fortnight, Indian police have arrested three employees of a sub-contractor of TalkTalk, who are accused of stealing customers’ data and using it to con them out of thousands.

If proven, the allegations shed new light on TalkTalk’s poor record on taking care of its customers’ details, whether directly or indirectly. It also highlights just how global the data trade has become, and the risks involved.

Even before October’s hacking incident, TalkTalk users had complained of receiving spam calls, in some cases leading to losses of thousands of pounds; bank accounts were cleared, precious savings spirited away.

We helped one victim track down the men who scammed her, and discovered they were based in Kolkata, the city where Indian IT services giant Wipro handled its contract with TalkTalk.

Wipro’s name came up in the course of my investigation into her case, and now it seems Indian police are extending their inquiry into the firm.

Why did TalkTalk end up sending customers’ details to India? The main reason is that, by its own admission, the telecoms company was getting hammered with complaints, and didn’t have the deep pockets of its rivals to deal with them.

For us consumers, there’s a dilemma: globalised tech brings us cheap deals and convenience. But only if we relinquish control of what’s increasingly our most valuable asset: our personal information.

TalkTalk said in a statement: “Following the October 2015 cyber attack, we have been conducting a forensic review to ensure that all aspects of our security are as robust as possible, including that of our suppliers.

“As part of the review, we have been working with Wipro, one of our suppliers, and the local Police in Kolkata.  Acting on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our contract with Wipro.

“The same site handles calls on behalf of a number of multi-nationals and our security teams will be sharing the details with them to ensure they can check their own operations. We are also reviewing our relationship with Wipro.

“We are determined to identify and deal effectively with these issues and we will continue to devote significant resource to keeping our customers’ data safe.  Data theft and scams are a growing issue affecting all businesses and they are notoriously difficult to investigate and prosecute.  We are pleased that our investigations have yielded results, and will continue to do everything we can to tackle these crimes.”

Wipro said: “Wipro is committed to maintaining the integrity and confidentiality of all customer data and has a zero tolerance policy on security breaches. We would like to reassure our customers that the Company continuously evaluates and strengthens its internal processes to protect itself and its customers from any data breach.

“Working with our customer, Wipro reported potential illegal activity to the relevant law enforcement authority in India, as soon as it came to the company’s attention. Wipro is working closely with the customer in the investigation and will continue to extend its full co-operation to the investigating authorities.  We are unable to comment on the matter that is currently under investigation.”

See my 23 October 2015 report – TalkTalk receives ‘ransom demand’ over hacked data: 

Follow @geoffwhite247 on Twitter