TalkTalk accused of 'covering up' scale of 'jihadi' cyber attack that put four million customer's bank details at risk 

• e-mail

Probe: Labour MP Keith Vaz said the suggestion of a cover-up should be 'thoroughly investigation'

TalkTalk customers have accused the company of 'covering up' the scale of the mass cyber-attack that left millions of personal details at risk.

Labour MP Keith Vaz branded the suggestion 'alarming' and 'unacceptable' and said should be 'thoroughly investigated'. The broadband firm dismissed the allegation as 'unfair'.

Meanwhile, it has emerged fraudsters started cold-calling targets even before TalkTalk realised that customer details had been stolen.

The company alerted Scotland Yard and the major banks on Wednesday, going public about the hack on Thursday night. 

But by then some of the four million TalkTalk customers whose sensitive data may have been leaked were being contacted by criminals.  

Mr Vaz, chairman of the Home Affairs Select Committee, told the Daily Telegraph suggestions TalkTalk has covered up 'both the scale and duration' of the attack should be probed. 

The allegation was dismissed by a company spokesman, who told the newspaper: 'We haven't been covering up anything. 

'We went public with this within 36 hours. It's not easy to go much quicker. We cannot be accused of trying to hide the scale of this. That is deeply unfair.' 

The firm admitted yesterday it still had no idea who was behind the attack or exactly what was stolen. But an online posting appears to claim responsibility on behalf of Islamist extremists. 

The message, published on the Pastebin website, warns: 'We will teach our children to use the web for Allah. Your hands will be covered in blood. Judgement day is soon.'

It was accompanied by what appears to be a portion of the data stolen from TalkTalk but the authenticity is questionable. The group may be hoaxers passing off data stolen at an earlier date. 

Baroness Dido Harding, head of TalkTalk, which has suffered a 'significant and sustained cyber attack'

As touts offered the personal data for sale online, it emerged that:

• A ransom has been demanded for the return of the information; 
• Cyber-security experts said TalkTalk should be ashamed;
• A formal probe was opened by the Information Commissioner into the breach.

Last night, victims revealed that scammers had used a range of ploys to try to get hold of their money. 

Hilary Foster, a barrister’s clerk from Surbiton, south-west London, found that scammers had tried to go on a shopping spree funded from her bank account.

Many of the payments were declined but thieves still made off with more than £600, which they spent at Tesco and Office shoes. 

When she called to block the card, the bank asked her whether she was a TalkTalk customer: ‘I was in a blind panic. I am really, really angry TalkTalk found out about this on Wednesday and didn’t tell customers until a day later.’

Conmen also sabotaged a TalkTalk customer’s broadband line on Wednesday morning.

Iain Frater, a trainee doctor from Glasgow, said: ‘They slowed my internet down then phoned pretending to be TalkTalk support. They had all the details you would expect, including name, address, phone number and account number. The guy really sounded like he was in a TalkTalk call centre.’

When Mr Frater became suspicious and tried to end the call, the fraudsters warned him his computer was at risk of exploding.

Chief executive Dido Harding apologised to customers last night but said it was too early to consider compensation.

Asked by Channel 4 if the company had failed to invest in sufficiently tough online security following two previous attacks, she replied: ‘In retrospect – absolutely. I would be the first to admit that.’ 

She said the significant investment the firm had made had proved inadequate. She also admitted she didn’t know whether the details accessed by cyber criminals had been encrypted.

The firm shut its website when the attack became apparent.

Miss Harding said: ‘Our email system was running very slowly and that is usually an indication that someone is trying to bombard your systems to get in.’

Most major firms use encryption to ensure data is useless to hackers in the event it is stolen.

David Emm, of the cyber-security firm Kaspersky Lab, said: ‘TalkTalk should be ashamed. It is not their data at risk here. It is the data of other people who have placed their trust in the company.’

Message: The phone and broadband provider has asked all customers to change their passwords and check for any unusual transactions from their bank accounts

Miss Harding said the company had assumed a worst case scenario that all the personal data relating to its four million customers was compromised until they could confirm exactly what was taken. 

Names, addresses, dates of birth, telephone numbers, credit card numbers and bank details are all at risk. There is a possibility the details of former customers are also vulnerable. 

Meanwhile, a spokesman for the Institute of Directors called for more action to tackle 'one of the biggest threats facing businesses', as cyber attacks on UK companies 'happen constantly'.

Former MP Hazel Blears said the UK had been 'a little bit tardy' in waking up to the scale of the threat but must now seek tougher rules to ensure data was protected.

Ms Blears, a former member of the intelligence and security committee, suggested proof of adequate cyber security could be made a condition of government contracts.

The Metropolitan Police cyber-crime unit is investigating the attack but has made no arrests.

‘We are aware of speculation regarding alleged perpetrators; this investigation remains at an early stage; a full assessment of the alleged data theft is ongoing,’ it said in a statement.

Advert: TalkTalk said it had contacted major banks which will monitor any suspicious activity from customers' accounts and had informed the data protection watchdog, the Information Commissioner's Office

Two individuals whose telephone numbers were published said they were no longer TalkTalk customers. Others contacted by the Mail confirmed their details were genuine.

Jayne Snellgrove, detective superintendent at the cyber-crime unit, said: ‘TalkTalk have done everything right in bringing this matter to our attention as soon as possible.

‘The Met has one of the largest cyber-crime and fraud teams in Europe, with up to 500 specialist officers dedicated to tackling this sort of offence.’

Charles Dunstone, founder and chairman of TalkTalk, suggested the amount of information the thieves could get their hands on was restricted.

The technology company has been a repeat winner of MoneyMail’s ‘wooden spoon’ award for worst customer service. 

Plain truth is we've all been far too complacent 

Commentary by Edward Lucas 

Imagine a hotel careless enough to put its guests’ room keys on public display, along with their names, credit cards, passport details and home addresses. It would be a boon for thieves, snoopers and pranksters.

That, broadly, is what TalkTalk appears to have done with its customers’ sensitive electronic data. And it has lost it to attackers – and is paying heavily for its carelessness.

Computers and networks can all too easily be breached, whether by criminals, hooligans, zealots or spies. But if the information is properly encrypted, the benefit to attackers is minimal. 

All they get is a bewildering mixture of letters and numbers. Without the ‘keys’ to decode it, the data is worth nothing.

The company’s bland and contradictory statements since the attack – and especially the woeful performances by chief executive Dido Harding – only compound the impression of incompetence

TalkTalk, amazingly, appears not to have done this. That made it easy for the still-unknown attackers – perhaps criminals, perhaps political extremists, perhaps a mixture of the two – to steal customer information from its computers.

The company’s bland and contradictory statements since the attack – and especially the woeful performances by chief executive Dido Harding – only compound the impression of incompetence.

It appears that the attackers began by swamping the company’s website with bogus requests for information. This distracted attention while they hacked into the network and stole the data.

The attack highlights the scandalous complacency which still reigns in British business about cyber-security.

No chief executive would sleep easily at night if the company headquarters were secured merely with a child’s padlock, with vital commercial secrets strewn on every desk.

Nor would shareholders tolerate senior management who did not understand how to lock a door or file papers safely, and could not tell if the company had been robbed.

Yet the equivalent of such ignorance and carelessness when it comes to computers and networks is all too common.

Far too many company directors have not the faintest idea how computers work, or the formidable arsenal of weapons and trickery which attackers can deploy.

The hapless Miss Harding, bumbling from studio to studio, was unable to explain how her company had been attacked, how long the attack had gone on for, what had been stolen and whether the computers and networks were now secure. 

Nor could she tell who was behind it. This is the other striking feature of cyber-attacks. In the real world, we have a fairly good idea of who our enemies and rivals are. When it comes to cyber-space, we are in the dark.

An illiterate and venomous posting on the Pastebin website, accompanied by what appears to be a portion of the data stolen from TalkTalk, appears to claim responsibility on behalf of Islamist extremists.

But we cannot be sure. Cyber-attacks are indeed a form of terrorism. They disrupt normal life, erode public morale, stoke feelings of powerlessness and humiliate those responsible for protecting us.

So attacking TalkTalk, a major provider of mobile phone and internet services, could be a stunt by those bent on destroying our way of life in the misguided pursuit of piety.

Yet anyone can claim to be a jihadist. The news that someone had delivered a ransom demand to TalkTalk suggests that the real motivation of the attackers was money, not mayhem.

The internet is rife with extortion demands. Even ordinary internet users can be blackmailed because they have left a compromising trail online by browsing pornographic websites, or posting indecent pictures.

Concerns: TalkTalk, which has more than four million customers in the UK, said credit card and bank details along with personal information may have been accessed during the attack

Another common attack is ‘ransomware’ – encrypting the data on a computer, and offering to unlock it in exchange for money. Sometimes criminal and extremist elements overlap. The jihadists may revel in the havoc they wreak, but also be keen to raise money for their cause.

One thing is clear. TalkTalk will not be the last victim of these terrifying attacks. The bleak truth is that the security of our computers and networks – government, business and private – is woeful.

Our police are hopelessly overstretched trying to deal with the wave of cyber-crime in this country. When it comes to crime that crosses borders, they are even more flat-footed.

We need to counter-attack with every means possible. Everyone who owns and runs a computer has a responsibility to keep it safe.

We do not tolerate badly-maintained and dangerous cars on our roads. We need the same penalties for irresponsibility on the information superhighways.

That will require not just criminal prosecution for corporate recklessness, but also greater use of civil liability. We need class-action lawsuits from the owners of data that has been carelessly stored.

Customers should desert TalkTalk in their droves. That in turn may encourage the company’s shareholders to ask hard questions of the management. Just don’t expect Miss Harding to answer them.

Edward Lucas is the author of Cyberphobia (Bloomsbury, £17.99)