Last year, the telecoms giant was forced to pay a £400,000 monetary penalty for its 2015 data breach, which exposed the details of 156,959 customers.
The new fine - of £100,000 - has been levied for leaving the personal details of 21,000 customers open to abuse at its call centre in India.
The ICO launched an investigation into the issue in 2014 when TalkTalk notified the regulator that it was getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems and quoted customers’ addresses and TalkTalk account numbers.
The regulator identified that the problem lay with a TalkTalk portal through which customer information could be accessed. One of the companies with access to the portal was Wipro, a multinational IT services company in India.
An internal investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.
Staff were able to log into the portal from any Internet-enabled device - with no controls in place to restrict access - to view large numbers of customer records at a time and to export data, potentially offsite, to view up to 500 customer records at a time.
The ICO found this level of access was unjustifiably wide-ranging and put the data at risk.
Information Commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first.”