Snce the cyber attack on our website on Wednesday 21st October 2015, we have been working to establish what happened and, importantly, understand the extent of any individual customer data stolen during this attack. In light of the potential scale of attack, our responsibility last week was to inform all customers as quickly as possible. Our investigation continues, but we now know the extent of the data accessed is significantly less than originally suspected and can confirm that the following personal data were accessed:

  • Less than 21,000 unique bank account numbers and sort codes;
  • Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)
  • Less than 15,000 customer dates of birth
  • Less than 1.2 million customer email addresses, names and phone numbers.

As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers’ accounts in the highly unlikely event that a criminal attempts to defraud them. We also encourage all our customers to take up the free 12 months of credit monitoring alerts with Noddle, one of the leading credit reference agencies, using the code TT231.

Even though the scale of the attack is significantly smaller than initially suspected, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails.

We want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information.

TalkTalk will also NEVER:

  • Ask for their bank details to process a refund. If customers are ever due a refund from us, we would only be able to process this if their bank details are already registered on our systems.
  • Call customers and ask them to download software onto your computer, unless the customer has previously contacted TalkTalk, discussed and agreed a call back for this to take place.
  • Send customers emails asking them to provide their full password. We will only ever ask for two digits from it to protect their security.

The Metropolitan Police Cyber Crime Unit’s criminal investigation is ongoing, and we continue to assist them.

Dido Harding, CEO, TalkTalk: "Given the potential size of this attack, we decided to be as open, honest and transparent as we could because we wanted to keep our customers informed and ensure they had the advice and support they need.

"Today we can confirm that the scale of attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened and our investigation is still on going.

"On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that."

Detective Superintendent, Jayne Snelgrove of the Metropolitan Police Cyber Crime Unit: "TalkTalk have done everything right in bringing this matter to our attention as soon as possible.

"Our success relies on businesses being open with us and each other about the threats they encounter."