TalkTalk hack: MPs to hold inquiry into cyber-attack

TalkTalk sign Image copyright Reuters

MPs are to launch an inquiry into the cyber-attack on TalkTalk that could have put customers' details at risk.

Culture minister Ed Vaizey also told the House of Commons the government was not against compulsory encryption for firms holding customer data.

Shares in the telecoms company fell more than 12% in Monday trading, extending its losses from last week, when news of the attack first emerged.

TalkTalk has said the cyber-attack was "smaller" than originally thought.

However, it acknowledged that customers' bank account and sort code details may have been accessed.

Responding to an urgent question on the issue asked in the Commons, Mr Vaizey described the hack as "very serious". Any compensation for customers would be a matter for the Information Commissioner, he told MPs.

The inquiry into the TalkTalk hack and data protection will be launched by Jesse Norman, chair of the Culture, Media and Sport Select Committee, the Commons was told.

'Money missing'

The phone and broadband provider has said it does not know how much of the customer information was encrypted.

It said it would contact all its four million current customers; it has said an unknown number of previous customers may also be at risk.

Some customers have also said money has gone missing from the their bank accounts.

But TalkTalk has said there is currently no evidence that customers' bank accounts have been affected as a result of last week's attack.

Image copyright PA

Analysis: Rory Cellan-Jones, BBC technology editor

The company first indicated that the "sustained" attack was a DDoS, a distributed denial of service attack where a website is bombarded with waves of traffic.

That did not seem to explain the loss of data, and later TalkTalk indicated that there had also been what is known as an SQL injection.

This is a technique where hackers gain access to a database by entering instructions in a web form. It is a well known type of attack and there are relatively simple ways of defending against it.

Many security analysts were stunned by the idea that any major company could still be vulnerable to SQL injection.

Questions for TalkTalk

A number of customers have criticised the company's handling of the attack - saying they have received no contact.

Others criticised its refusal to let them cancel contracts for free.

In a statement on Saturday, TalkTalk said the attack was on its website, where full card details are not held - not on its core system.

Any credit card details accessed were incomplete - with many numbers appearing as an x - and "not usable" for financial transactions, it added.

The Metropolitan Police is investigating the hack, as well as a ransom demand from a group purporting to be behind it.

No arrests have been made.

TalkTalk said there was a chance that some of the following customer data had been accessed:

  • Names and addresses
  • Dates of birth
  • Email addresses
  • Telephone numbers
  • TalkTalk account information
  • Partial credit card details
  • Bank account numbers and sort codes

What should you do if you think you're at risk?

  • Report any unusual activity on your accounts to your bank and, if you are in England, Wales or Northern Ireland, to the national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or If you are in Scotland, call Police Scotland
  • TalkTalk is advising customers to change their account password as soon as its website is back up and running and any other accounts for which you use the same password
  • Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password

TalkTalk hack: What should I do?

More on this story