TalkTalk attack: 'Urgent action needed' on cyber-crime
Business leaders have called for urgent action to tackle cyber-crime after an attack on TalkTalk, calling it one of the biggest threats facing companies.
The Institute of Directors (IoD) said only "serious breaches" made the headlines, but attacks on British businesses "happen constantly".
The government said it was "committed to tackling cyber-crime".
A number of TalkTalk customers have complained that their bank accounts or credit cards were targeted.
However, no losses have so far been confirmed as being directly attributable to the attack on the phone and broadband services provider.
One customer, Hilary Foster, told the BBC she had lost £600 from her account, which the bank said it would refund.
"I'm still very angry [about] the fact that my details are potentially out there somewhere on the internet and I'm going to have to keep checking my bank statements now for a long time," she said.
Another customer, Barbara Manley, said she and her husband had lost £9,000 from their bank account on Wednesday, after being contacted by a caller purporting to be from TalkTalk last Sunday and then again on Tuesday.
"They appeared to know all about us and asked my husband to start the computer up and it went on from there," she said. "It all seemed so genuine."
Mrs Manley's daughter, Sarah, said the timings suggested TalkTalk "knew about this for some time and didn't warn" customers.
She said that when her father contacted TalkTalk to complain the company apologised and sent him a Freeview box.
TalkTalk said it was investigating customer queries and complaints on a case-by-case basis and was not commenting on individual cases at this stage.
It said fraud suffered by its customers "may not be the result of the cyber attack on Wednesday".
The Metropolitan Police says it is in the early stages of investigating the hacking as well as a ransom demand from a group purporting to be behind the attack.
No arrests have been made.
News of the reported losses suffered by customers comes two days after TalkTalk said it had been subject to a cyber-attack in which the personal and banking details of up to four million of its customers may have been accessed by hackers.
The company has said it does not know how much of the customer information was encrypted.
Cyber-crime consultant Adrian Culley told BBC Breakfast the hackers had obtained "high-value" data and it was "going to take time to fully investigate" the attack.
He said he had already seen online what "very much appears to be genuine" TalkTalk customer bank details.
He said those who uploaded the data had redacted account numbers but published customers' bank sort codes.
A number of TalkTalk customers have told the BBC they are unhappy about the company's response to the attack.
Several said TalkTalk was failing to keep them informed about what had happened and what it was doing about it. "The silence is deafening," one customer, Frank Wilde, said.
Others said they had lost confidence in the company and complained about its refusal to waive early-exit charges for those who wished to end contracts early because of the attack.
TalkTalk chief executive Dido Harding told the BBC on Friday: "Waiving standard terms and conditions is not something sensible I can do today."
The company said it would consider requests on a case-by-case basis later when more information was known.
Former home office minister Hazel Blears said the TalkTalk data breach was "a wake-up call". She said it should prompt a debate about whether further regulation was needed "because this is probably the biggest threat to our economy".
IoD senior corporate governance adviser Oliver Parry urged the police to make cyber-crime an "urgent priority and investigate theft of data just as it would theft of physical property".
He said companies should review risks regularly to "ensure they know where the potential threats are coming from and are prepared in case the worst happens".
BBC technology correspondent Rory Cellan-Jones said TalkTalk had apparently fallen victim to a simple hacking trick known as an SQL injection, which it should have been able to protect against.
TalkTalk said it could not confirm this was the technique used.
What should you do if you think you're at risk?
- Report any unusual activity on your accounts to your bank and, if you are in England, Wales or Northern Ireland, to the national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk. If you are in Scotland, call Police Scotland
- TalkTalk is advising customers to change their account password as soon as its website is back up and running and any other accounts for which you use the same password
- Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password
Labour MP Keith Vaz, chairman of the Home Affairs Select Committee, told the BBC he would be writing to TalkTalk chairman Sir Charles Dunstone to ask for a "timeline as to what they did" when the attack was discovered.
He said the company should have informed its customers "immediately" and said TalkTalk's explanation that it had done so within 36 hours "would not be regarded by the public as acceptable".
The company has said its website is now secure again, and that TV, broadband, mobile and phone services were not affected by the attack.
However, the sales website and "my account" services are still down, despite the company having hoped to restore them on Friday.
TalkTalk said there was a chance that some of the following customer data had been accessed:
- Names and addresses
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Credit card and bank details
This is the third time this year that TalkTalk has been targeted by hackers.
In August, the company revealed its mobile sales site had been targeted and personal data breached.
And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names. The attacks are understood to be unrelated.
Google and McAfee estimate there are 2,000 cyber attacks every day around the world, costing the global economy about £300bn a year.