Lawyers acting for around 50 people defrauded by scammers after a major data breach at TalkTalk in 2014 are discussing their next move, which victims hope could herald the start of legal action against the broadband firm.

Last week the Information Commissioner’s Office (ICO) announced it was fining TalkTalk £100,000 for failing to look after its customers’ data. The ICO said TalkTalk had breached data protection laws by allowing unjustifiably wide-ranging access to its systems by external companies, including Wipro, an Indian IT services firm it employed to deal with complaints and coverage problems. Staff there had access to large quantities of TalkTalk customers’ data including names, addresses, phone numbers and account details.

The ICO report referred to 21,000 TalkTalk customers who’d had their data breached. Fraudsters started to ring TalkTalk customers at home, quoting their account numbers, and were able to convince them that they were calling from the broadband firm. Customers, who were used to talking to Indian staff at the telecoms firm, were told there were internet problems that required a fix. The fraudsters conned the customers into giving them access to their bank accounts to make a £250 payment. Instead, they had their accounts cleaned out.

Graeme Smith lost £2,800 to scammers Photograph: Gary Calton/The Guardian

In 2015, Guardian Money featured the case of Graeme Smith who lived near Chester-le-Street in County Durham. He lost £2,800 to fraudsters who had obtained his account details. Since then several others have come forward, some of whom have lost larger sums.

TalkTalk has consistently denied responsibility for the frauds, arguing that these customers were duped in the same way as many others are by frauds that plague UK consumers.

Lawyers acting for the victims had been waiting for the ICO to rule on the data breach before starting legal proceedings. Sean Humber, a solicitor at information law specialist Leigh Day, who is bringing the group action, said his firm would be speaking to barristers shortly “before we make a decision regarding the action”.

“We welcome the ICO’s recognition of TalkTalk’s failure to protect its customers’ information, leaving them at huge risk of being targeted by fraudsters,” Humber said. “Customers of all companies, particularly those that hold large amounts of data online, should be able to trust that their personal and private information is safe.

“The ICO recognised that this data breach was of a kind likely to result in customers being scammed. Those affected may have claims for compensation under the Data Protection Act, and for a breach of their confidence, by arguing that the losses suffered were caused by TalkTalk’s failure to keep their personal information secure.”

TalkTalk said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third-party suppliers were abusing their access to non-financial customer data. We informed our customers at the time and launched a thorough investigation, which has led to us to withdraw all customer service operations from India. We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected.”

TalkTalk customers who have been scammed can contact Leigh Day on 020 7650 1200, or by emailing shumber@leighday.co.uk or abalasingam@leighday.co.uk