TALKTALK has received a ransom demand from someone claiming to be behind a cyber attack which may have resulted in sensitive data belonging to millions of its customers being stolen, the company said.
The telecoms giant is investigating whether credit card and bank details were taken in Wednesday’s attack, the third time this year it has been the victim of a cyber crime.
A TalkTalk spokeswoman said: “We can confirm we were contacted by someone claiming to be responsible and seeking payment.”
The spokeswoman declined to elaborate in the demand, saying “everything else is matter for the police.”
TalkTalk’s chief executive Dido Harding told the BBC: “Yes, we have been contacted by - I don’t know whether it’s an individual or a group purporting to be the hacker.
“I personally received a contact from someone purporting - as I say, I don’t know whether they are or are not - to be the hacker, looking for money.”
Mrs Harding previously said the company had assumed a worst case scenario that all the personal data relating to its four million customers was compromised until they could confirm exactly what was taken.
Mrs Harding said: “We have taken the precaution to assume the worst case, which is that all of our customers’ personal financial information has been accessed.
“We think that is the most prudent and sensible way to be, to tell all of our customers that now, so that they can protect themselves rather than wait to do the analysis and give a more precise number and cause more concern to people over the long term.”
The most recent breach was the third in a spate of cyber attacks affecting them in the last eight months.
In August the company said its mobile sales site was hit by a “sophisticated and co-ordinated cyber attack” in which personal data was breached by criminals.
In February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company’s computers.
Mrs Harding told the BBC “the awful truth is I don’t know” whether all the data was encrypted, adding: “With the benefit of hindsight, were we doing enough? Well, you’ve got to say that we weren’t and obviously we will be looking back and reviewing that extremely seriously.”
Scotland Yard’s cyber crime unit said it has launched an investigation alongside the National Crime Agency (NCA) but no arrests have been made.
One theory for the motive behind the attack had been Islamic extremism, with one self-proclaimed Jihadi group putting what it said was personal details of TalkTalk customers on a website.
However, the accuracy of the information has not been verified and there was also speculation that blackmailers could be behind the attack.
Professor Peter Sommer, from De Montfort University’s cyber security unit, told the BBC’s Today programme: “It seems to me the suggestion that these are Islamic terrorists who are perpetrating it is unlikely, not impossible.
“One has to look at what is probably the most likely outcome. One of them is an extortion attempt; since they have gone public I suspect that’s not going to work. The other one is just to get hold of the credit card information, get hold of the personal information.”
TalkTalk should have notified the personal data watchdog sooner about the cyber attack on its systems, Information Commissioner Christopher Graham said.
The Information Commissioner’s Office (ICO) was informed about the data breach at 4.30pm on Thursday, but the attack began on Wednesday.
Mr Graham said the delay was one of the issues the ICO would examine in its investigation into the “very serious data breach”.
But he told BBC Radio 4’s World At One: “I wish we had heard a little bit earlier and we could have been more ‘out there’ giving advice to consumers about what they need to protect their personal information.”
The ICO is already investigating TalkTalk over two previous data breaches, Mr Graham said.
“The job of the Metropolitan Police in this case is to investigate the theft, the job of the Information Commissioner’s Office is to investigate why the thieves were able to get away with it,” he said.
TalkTalk has been unable to say whether customers’ personal data was encrypted and Mr Graham indicated that if the information was not secure it could lead to a bigger penalty from the watchdog.
Mr Graham said: “There isn’t an off-the-peg solution that renders everything secure and in some cases encrypting everything would probably be excessive.
“But the big civil monetary penalty we imposed on the Sony Corporation for the PlayStation incident was involving the lack of encryption of customer data and that cost them £200,000.
“People have got to take this seriously.”
He said the incentive for a firm to act was the potential damage to its reputation rather than simply the prospect of a fine.
“The incentive is the blow to the reputation. We have already seen the TalkTalk share price falling today, even before we have conducted our investigation.
“We are increasingly operating in a digital economy and the terms on which all these companies get our business is by showing that they can look after it. If they let us down then we can shop elsewhere.”