Cyber Attack update – Friday November 06th 2015
Update on cyber attack
Since the cyber attack on our website on Wednesday 21st October 2015, we have been working to establish exactly what happened and, importantly, understand the extent of any individual customer data stolen during this attack.
Investigations by both TalkTalk and the Metropolitan Police continue, and further to our update on Friday 30th October we are now able to confirm which customers were affected:
- The total number of customers whose personal details were accessed is 156,959;
- Of these customers, 15,656 bank account numbers and sort codes were accessed;
- The 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were ‘orphaned’, meaning that customers cannot be identified by the stolen data.
Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only 4% of TalkTalk customers have any sensitive personal data at risk. However, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails.
It was a difficult decision to notify all our customers of the risk before we could establish the real extent of any data loss. We believe we had a responsibility to warn customers ahead of having the clarity we are finally able to give today.
We have now contacted all customers who have had financial details accessed, reiterating our advice on what to do to keep themselves safe. The financial information accessed cannot on its own lead to financial loss. We will be contacting all other affected customers in the coming days.
We want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information.
Notes to Editors
As previously confirmed:
- This cyber attack was on our website not our core systems
- We do not store complete credit and debit card details on the website; all card details had a series of numbers hidden and therefore are not usable for financial transactions e.g. 012345 xxxxxx 6789
- Personal details accessed include: name, address, date of birth, telephone number and email address
- TalkTalk My Account passwords were not accessed
Back to Press release