The data - which included full names, addresses, email addresses, dates of birth, customer numbers, mobile numbers and bank details - was stolen in 2015 and is believed to have been easily found online for nearly four years.
Details online for nearly four years
The details found are part of the larger 2015 data breach where almost 157,000 TalkTalk customer details were stolen.
Watchdog were contacted by concerned customers who were suspicious that their details had been stolen, but had not been told anything by TalkTalk.
Watchdog Live asked TalkTalk about the breach but were told the details had not been compromised. However, it investigated and found the personal details of approximately 4,500 customers available online after a simple Google search.
Part of a larger data breach
The details found by the BBC consumer show were freely and easily available online and did not have to be found by searching the ‘dark web’. This information is likely to have been online since the 2015 breach, without the knowledge of the people involved.
The breach left substantial amounts of sensitive personal information potentially exposed to fraudsters and saw the Information Commissioners Office (ICO) issue a record fine of £400,000 to TalkTalk as a reflection of “the seriousness of the event.”
While all TalkTalk customers were advised about the risk of scam calls, thousands were reassured by the Chief Executive at the time that “none of your personal information or sensitive financial data was taken”, when this was not the case.
Following Watchdog Live’s investigation, TalkTalk has now contacted the affected customers and made them aware that their details were compromised back in 2015.
Multiple people whose details were breached by TalkTalk told Watchdog that they had been subject to frequent scam calls, and in some cases attempts at fraud and identity theft, impacting their credit rating.
These people may never know if their experiences are a direct result of TalkTalk’s data breach, or if their details could have been accessed some other way.
Data can never be completely erased
Online security expert Scott Helme told the programme, “If the data has come from TalkTalk then obviously we need to go and revisit all of these people who’ve been told that they weren’t exposed and look at what they can do to rectify the harm.
“We’re never going to completely erase this data but what we can do is try to reduce the impact of having lost the data.”
A spokesperson for TalkTalk said, “The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident.
“The 2015 incident impacted 4 per cent of TalkTalk customers and at the time we wrote to all those impacted. In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.
“A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident.
“This was a genuine error and we have since written to all those impacted to apologise. 99.9 per ent of customers received the correct notification in 2015. On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”