TalkTalk customers' data could have been accessed by hackers, boss admits

Updated: 

The sensitive personal data of millions of TalkTalk customers could have been accessed by hackers after a "significant and sustained cyber attack" on its website, the firm's chief executive has admitted.

Dido Harding could not say whether the information had been encrypted as she apologised to customers who are now at risk of having their credit card and bank details used by the criminals behind the attack.

She said the company was assuming the personal details of all its four million customers had been accessed by cyber criminals while it determines exactly what happened in Wednesday's attack.

She told the Press Association: "We have taken the precaution to assume the worst case, which is that all of our customers' personal financial information has been accessed.

"We think that is the most prudent and sensible way to be, to tell all of our customers that now so that they can protect themselves rather than wait to do the analysis and give a more precise number and cause more concern to people over the long term."

The most recent breach was the third in a spate of cyber attacks affecting them in the last eight months.

In August the company said its mobile sales site was hit by a "sophisticated and co-ordinated cyber attack" in which personal data was breached by criminals.

And in February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company's computers.

Despite the attack happening on Wednesday morning, TalkTalk informed customers on Thursday night

Mrs Harding added: "I know it feels like a very long time but at Wednesday lunchtime all we knew was that our website was running very slowly, that our email system was running slowly, and that is usually an indication that someone is trying to bombard your systems to get in. So we took the decision to bring down our systems right away, we then spent the next 24 hours trying to work out exactly how someone had got in and what data they had accessed.

"We don't know for certain yet exactly what data has been accessed, what customer information has been stolen, so we have taken the precaution, actually very quickly, to try and let all of our customers know, so that we can help them and they can help secure their own information."

Scotland Yard's cyber crime unit said it has launched an investigation alongside the National Crime Agency (NCA) but as yet no arrests have been made.

One theory for the motive behind the attack is Islamic extremism, with one self-proclaimed group putting what it said was personal details of TalkTalk customers on a website.

Adrian Culley, a former detective in the Met's cyber crime unit, told BBC Radio 4's Today programme: "They are claiming to be from Soviet Russia and be an Islamic cyber jihadi group."

However, the accuracy of the information has not been verified and there was also speculation that blackmailers could be behind the attack.

Professor Peter Sommer, from at De Montfort University's cyber security unit, told Today: "It seems to me the suggestion that these are Islamic terrorists who are perpetrating it is unlikely, not impossible.

"One has to look at what is probably the most likely outcome. One of them is an extortion attempt; since they have gone public I suspect that's not going to work. The other one is just to get hold of the credit card information, get hold of the personal information."