Broadband and email service TalkTalk failed to notify 4,545 customers that their personal data was breached in 2015, according to an investigation by BBC Watchdog Live.
The company has apologized for the episode.
BBC says it Googled TalkTalk customers and found TalkTalk customers’ personal details, including names, email addresses, home addresses, dates of birth, mobile numbers and bank details.
The issue is a result of the 2015 breach in which personal details on almost 150,000 customers were breached. These included bank account numbers and sort codes of over 15,000 individuals, BBC continues.
BBC adds that the “information is likely to have been online since the breach, without the knowledge of the people affected.”
The UK Information Commissioner’s Office conducted a probe of the 2015 breach and assessed a fine of £400,000.
BBC claims it spoke to multiple people affected by the breach.
“They said they had been subject to frequent scam calls, and in some cases attempted fraud and identity theft, impacting their credit rating,” it reports.
Failure to notify customers of a data breach in a timely way is now a violation of GDPR.
In response to the BBC probe, TalkTalk issued the following statement: "The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted.
"In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.
"A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015.
"On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss."
This has been a couple of rough months for TalkTalk. In April, it experienced an email outage in the UK, drawing hundreds of complaints.