The Carphone Warehouse allowed customers to view other people’s account details, passed inaccurate information on to debt collectors and opened accounts in the wrong name, according to the Information Commissioner’s Office (ICO).
The actions were in breach of the Data Protection Act and the ICO has issued Carphone Warehouse and sister company Talk Talk with enforcement notices ordering them to comply with the Data Protection Act. If they fail to do so they risk a criminal prosecution.
“Both companies failed to meet the basic principles of the Data Protection Act,” said an ICO statement.
Carphone Warehouse said that the incidents happened when the company was extremely busy.
“We are aware that a very small number of our customers raised concerns with the ICO some time ago,” said a Talk Talk statement. “The issues were primarily caused by the significant interest in TalkTalk’s introduction of free broadband, over 18 months ago. We take these matters very seriously indeed, and as soon as these concerns were brought to our attention we took immediate steps to resolve them and to ensure we are fully compliant with the Data Protection Act.”
The ICO detailed its findings. “The investigation revealed that Carphone Warehouse and TalkTalk had been opening customer accounts in the wrong name and passing inaccurate information on to credit reference agencies and debt collection agencies,” it said. “Security failings had also led to customers being able to view other customers’ account details online. In addition, the ICO found that the companies had not responded to requests by individuals for information held about them.”
“The Data Protection Act gives us all important rights, including the right to correct inaccurate information and to find out what information an organisation holds on us,” said Mick Gorrill, assistant commissioner at the ICO. “Organisations that process personal information must comply with the Act and, where we find that this is not the case, the ICO will take enforcement action.”