TalkTalk’s chief executive says the company is “assuming the worst” after it was subject to a cyber attack potentially affecting millions of people.
Some customers have described having hundreds of pounds wiped out from their accounts since the hack began on Wednesday morning, and CEO Dido Harding has said it is believed criminals got away with “a very considerable amount of data”.
Speaking to The Independent, TalkTalk user Hilly Foster said she had checked her Halifax bank account after the news broke on Thursday night to find just over £600 had disappeared.
She said the money had been taken out in a series of payments to online shops and companies that she knew she had not made.
Ms Foster, 43, said her bank had referred the case to its fraud department and was going to refund her money, but that the worry and inconvenience left her furious with TalkTalk itself.
“I don’t understand why TalkTalk didn't contact customers when they found out about the hack – especially given it’s the third time it’s happened,” she said.
“If I'd known that there was a chance all my details weren't encrypted I'd have found another provider a long time ago.
“I’m really angry that I’ve had to spend hours on the getting this whole mess sorted out – and I’m also going to have to spend ages updating my card details on every site I use.”
Donna Kinnear, from Dingwall in Scotland, actually tweeted that she had been targeted before TalkTalk revealed the cyber attack had taken place.
She praised her bank, Santander, for blocking the hack, writing: “Some a****** hacker tried to purchase something using my bank details. Ha ha thanks to Santander he got f*** all. Thieving ***.”
Ms Kinnear later tweeted that she believed she had her “identity stolen” in the raid on TalkTalk’s databases and, like Ms Foster, was critical of the company’s response. She said: “Can’t get through to them or the fraud squad. Don’t know what to do.”
Speaking to BBC News on Friday afternoon, Ms Harding said “potentially all four million” of its customers could have been impacted by the hack.
“I know it seems strange that I can’t tell you exactly [how many were affected], but the criminals have hacked into our systems and downloaded a very significant amount of data.
“We’ve spent the last 36 hours trawling through that to see what has and has not been accessed. I am confident that a material number of our customers have been affected, which is why I’m taking the precaution of warning all our customers.”
Earlier, she told the Press Association: “We have taken the precaution to assume the worst case, which is that all of our customers' personal financial information has been accessed.”
“We think that is the most prudent and sensible way to be, to tell all of our customers that now, so that they can protect themselves rather than wait to do the analysis and give a more precise number and cause more concern to people over the long term.2
Responding to criticism over the speed of its response directly to customers, Ms Harding said the company could contact all of its customers quickest through the media. “All four million should have received emails with details by the end of the day, and it simply takes that long to send so many emails.”
Christopher Graham, the UK Information Commissioner, also criticised TalkTalk’s response.
He said his office was informed at 4.30pm on Thursday, adding: “I wish we had heard a little bit earlier and we could have been more 'out there' giving advice to consumers about what they need to protect their personal information.”
Mr Graham said the ICO was still investigating TalkTalk over two previous data breaches, and warned that if the company had failed to secure data properly it could lead to serious fines. “People have got to take this seriously,” he said.