The data hacked in the TalkTalk cyber attack "is significantly less than originally suspected" with fewer than 21,000 unique bank account numbers and sort codes accessed, the company said.
TalkTalk also revealed that fewer than 1.2 million customer email addresses, names and phone numbers were accessed, along with fewer than 28,000 obscured credit and debit card details, and fewer than 15,000 customer dates of birth.
"Even though the scale of the attack is significantly smaller than initially suspected, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails," a spokesman said.
Earlier, the Metropolitan Police confirmed that a second boy has been arrested in connection with the alleged attack.
The 16-year-old, from Feltham in west London, was held on suspicion of computer misuse after a search of his home yesterday.
The teenager has been bailed to a date yet to be confirmed.
A 15-year-old boy from County Antrim in Northern Ireland was arrested on Monday in connection with the alleged data theft. He was bailed until a date in November.
The investigation is being carried out by the Met's cyber crime unit, the PSNI's cyber crime centre and the National Crime Agency.
The latest breach is the third in a spate of cyber attacks affecting TalkTalk in the last eight months, with incidents in August and February resulting in customers' data being taken.
Police confirmed officers also carried out a search at a residential property in Liverpool in connection with the cyber attack.
Inquiries by the Met's cyber crime unit and officers from the National Crime Agency, the British equivalent of the FBI, continue.
The first boy arrested, from Northern Ireland, is known to like the Call Of Duty video game which simulates warfare, neighbours said.
He was described by local residents as a "quiet boy" who moved to the area recently with his family.
The TalkTalk spokesman added: "Since the cyber attack on our website on Wednesday 21st October 2015, we have been working to establish what happened and, importantly, understand the extent of any individual customer data stolen during this attack.
"Our investigation continues, but we now know the extent of the data accessed is significantly less than originally suspected.
"As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers' accounts in the highly unlikely event that a criminal attempts to defraud them."
He said the company will not call or otherwise contact customers regarding the incident and ask for bank details or other financial or personal information.