POLICE ARE investigating a ransom demand sent to telecoms giant TalkTalk following the cyber attack which may have resulted in the theft of millions of customers’ bank and credit card details.
The company revealed it had been contacted by someone claiming to be responsible for Wednesday’s attack who was seeking payment, but it was not sure if the message was genuine.
The investigation came as it was revealed that some customers have had money taken from their accounts, apparently by scammers.
A spokesman for Scotland Yard’s cyber crime unit, which is investigating the data breach, said: “We are aware of this information and it will form part of our investigation.”
Some TalkTalk customers have already complained that their bank accounts and credit cards have been targeted, according to reports.
TalkTalk chief executive Dido Harding said the company had assumed a worst case scenario that all the personal data relating to its four million customers was compromised until they could confirm exactly what was taken.
The phone and broadband provider said it was investigating whether personal details of past as well as present customers were taken.
Baroness Harding told the Press Association: “We have taken the precaution to assume the worst case, which is that all of our customers’ personal financial information has been accessed.
“We think that is the most prudent and sensible way to be, to tell all of our customers that now, so that they can protect themselves rather than wait to do the analysis and give a more precise number and cause more concern to people over the long term.”
A TalkTalk spokeswoman told PA that its investigation into what had been stolen includes a database of past customers, saying: “We are running the data, we just don’t know at the moment.”
Amid reports that TalkTalk had been previously been warned by experts about its security, a spokesman for the firm said: “New techniques for attack develop all the time, so TalkTalk constantly updates and reviews our systems to try to stay one step ahead of cyber criminals.
“Since the previous attacks, we are working with world leading cyber security experts and investing a lot in making sure our system is as secure as possible.
“Unfortunately no system is ever totally invincible - there was clearly more that should have been done in this case, and I am very sorry for the worry and frustration this attack has caused our customers.”
Baroness Harding told the BBC “the awful truth is I don’t know” whether all the data was encrypted, adding: “With the benefit of hindsight, were we doing enough? Well, you’ve got to say that we weren’t and obviously we will be looking back and reviewing that extremely seriously.”
The latest breach is the third in a spate of cyber attacks affecting TalkTalk in the last eight months.
In August the company said its mobile sales site was hit by a “sophisticated and co-ordinated cyber attack” in which personal data was breached by criminals.
In February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company’s computers.
Scotland Yard is investigating alongside the National Crime Agency (NCA) but no arrests have been made.
The Information Commissioner’s Office (ICO) said it has been informed of the cyber attack on Thursday, with a spokesman saying: “We will be making inquiries and liaising with the police.”
One theory for the motive behind the attack had been Islamic extremism, with one self-proclaimed Jihadi group putting what it said was personal details of TalkTalk customers on a website.
However, the accuracy of the information has not been verified and there was also speculation that blackmailers could be behind the attack.
Professor Mark Skilton, an IT consultant and academic at Warwick Business School, said: “Large-scale data theft is increasingly big business for professional cyber criminals.
“The value of personal identity data records and account details is increasingly high as it can be used in masquerading identity to commit theft of other data; or give direct access to personal bank account money and fraudulent transactions.”
TalkTalk’s share price plunged 11% on Friday morning, but recovered as the day progressed to close at 4.4% below its opening price.
The company said it is working with credit reporting service Noddle to offer 12 months of credit monitoring alerts for free.
Labour MP Keith Vaz, chairman of the Home Affairs Select Committee, said complaints by customers that TalkTalk had “covered up” the seriousness of the attack should be investigated.
He told the Daily Telegraph: “Suggestions that TalkTalk has covered up both the scale and duration of this attack are alarming and unacceptable and must be thoroughly investigated When such sensitive data as bank details have been compromised, companies have a duty to warn customers immediately.”
The company said the allegation was “unfair”.
A spokesman told the paper: “We haven’t been covering up anything. We went public with this within 36 hours. It’s not easy to go much quicker. We cannot be accused of trying to hide the scale of this. That is deeply unfair.”
Meanwhile, a spokesman for the Institute of Directors (IoD) called for more action to tackle “one of the biggest threats facing businesses and their customers”, as cyber attacks on UK companies “happen constantly”.
Oliver Parry, a senior economic adviser at the IoD, told the BBC: “The risks need to reviewed regularly by the board of directors, who must ensure they know where the potential threats are coming from and are prepared in case the worst happens.
“The UK is a world leader in the digital economy, so we urge the government and companies to work together to make us the world leader in countering the scourge of cyber crime.”
Hazel Blears, who as a Labour MP was counter-terrorism minister and a member of the intelligence and security committee, suggested proof of adequate cyber security could be made a condition of government contracts.
She said the UK had been “a little bit tardy” in waking up to the scale of the threat but must now seek tougher rules to ensure data was protected.
“The time is rapidly approaching when we have got to have a debate in this country about do we expect companies who are holding massive amounts of public data to be able to show that they are putting in place the necessary security precautions ... about whether there needs to be a better regulatory framework,” she told BBC Radio 4’s Today.
“We could do it through a code, we could do it through government contracting. We have got our critical national infrastructure to protect - power, water, all of those things that are vital to the country.
“We could say to companies: we are not going to contract with you unless we are absolutely certain that you have taken the necessary measures.”