TalkTalk hack: 156,959 customers confirmed to have had details accessed

Internet service provider also confirms 15,656 customers had bank details accessed by hackers

TalkTalk has revealed what it believes to be the true extent of the major cyber attack it recently suffered, stating that over 150,000 customers had their details accessed by hackers.

The beleaguered phone and internet service provider first revealed that bank details of four million customers were potentially compromised around a fortnight ago as a result of a "significant and sustained cyber attack".

Following an ongoing operation alongside the Metropolitan Police, TalkTalk has now confirmed that the total number of customers whose personal details were accessed is 156,959. Of those customers, 15,656 had their bank account numbers and sort codes accessed.

In addition to this banking information, a further 28,000 "obscured" credit card and debit card numbers were accessed, but TalkTalk claims this information can't be used by cyber criminals, nor can customers be identified using this stolen data.

"Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only four per cent of TalkTalk customers have any sensitive personal data at risk," said a TalkTalk statement.

However, the company has warned customers to "be vigilant" and to "take all precautions possible to protect themselves from scam phone calls and emails" by cyber criminals looking to take advantage of people in a vulnerable situation.

TalkTalk also states it has now contacted all customers who have had their financial details accessed "reiterating our advice on what to do to keep themselves safe".

"We want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information," the statement added.

Four people have now been arrested in connection with the hack, the latest being a 16-year-old boy from Norwich. It follows the arrests of a 20-year-old man from Staffordshire, a 15-year-old boy in Northern Ireland and a 16-year-old boy in West London.

TalkTalk has said the cyber attack was against its website, not its core systems, and that all card details had a series of numbers hidden and therefore are not usable for financial transactions.

However, accessed personal details include name, address, date of birth, telephone number and email address.

TalkTalk is thought to have been a victim of an SQL injection attack, perpetrated under the cover of a distributed denial of service (DDoS) attack.

Computing's Enterprise & Risk Management Summit takes place on 26 November 2015 and is free to attend for qualified end users. Register here.