TalkTalk has been fined by the UK's information regulator after 21,000 sets of customer data were at risk of falling into the hands of scammers and fraudsters.
The Information Commissioner's Office (ICO) slapped the FTSE 250 firm with a £100,000 fine.
Personal information was at risk after an Indian firm TalkTalk used to resolve complaints failed did not have sufficient protection in place to stop the data being accessed.
The breach first came to light in September 2014 when TalkTalk customers reported they were getting scam calls.
Information commissioner Elizabeth Denham said:
TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.
TalkTalk should have known better and they should have put their customers first.
A spokesperson for TalkTalk said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.
"We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident.”