THE sensitive personal data of millions of TalkTalk customers could have been accessed by hackers after a "significant and sustained cyber attack" on its website, the firm's chief executive has admitted.
Dido Harding could not say whether the information had been encrypted as she apologised to customers who are now at risk of having their credit card and bank details used by the criminals behind the attack.
"I am, in a sense, saying that there is a risk that all of our customers' personal data has been accessed and therefore we are taking that very seriously and looking to make sure that we can help our customers protect themselves if that data has been stolen," she said.
Ms Harding told BBC Radio 4's Today programme that customers would be given free credit monitoring to check if their identity had been cloned and said everyone with a TalkTalk account should assume their information is at risk.
"Yes, I"m sorry but that is exactly why I am on the airwaves this morning saying all of this, why we are giving all of our customers free credit monitoring for the course of the next years so that they can monitor if criminals are using that information to try and impersonate their identity."
Ms Harding defended the firm for not revealing the security breach until Thursday night, despite it taking place on Wednesday morning.
She admitted it does not yet know how many of its four million customers are affected by the third in a spate of cyber attacks affecting them in the last eight months.
In August the company said its mobile sales site was hit by a "sophisticated and co-ordinated cyber attack" in which personal data was breached by criminals.
And in February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company's computers.
Adrian Culley, a former detective in the Met's cyber crime unit, told BBC Radio 4's Today programme an Islamic hacking group claimed to be behind the attack.
He said: "They are claiming to be from Soviet Russia and be an Islamic cyber jihadi group. They have posted on to Pastebin information that appears to be TalkTalk customer private information."
However there was also speculation that blackmailers could be behind the attack.
Ms Harding told ITV's Good Morning Britain the three attacks on her firm were "completely unrelated", adding: "We moved as fast as we possibly can, on Wednesday lunchtime all we knew was that our website was running slowly and that we had the indications of a hacker trying to attack us.
"I can't even tell you today exactly how many customers have been affected. We have tried to come public as fast as we can once we have got a reasonable idea of what potential data has been lost.
"I really appreciate the frustration and the worry and the concern that this causes customers - I am a customer myself - and I am very sorry for that. We are rushing to try and get that information to our customers as fast as we possibly can."
She added: "This is a crime, a criminal has attacked TalkTalk systems and we are not the only ones, whether it is the US government, Apple, a whole host of companies. Cyber crime is something we all need to get better at defending ourselves against."
A Scotland Yard spokesman said: "The Metropolitan Police Cyber Crime Unit is investigating an allegation of data theft from a telecommunications website. The theft was reported to the Met on Wednesday 21 October.
"There have been no arrests and inquiries are ongoing.
"We are aware of speculation regarding alleged perpetrators; this investigation remains at an early stage; a full assessment of the alleged data theft is ongoing."
TalkTalk's approach was criticised by cyber security expert professor Peter Sommer, who said "it looks as though they have made some rather unfortunate decisions" about their systems.
"Good practice says you ought to encrypt your data," he told Today. "The problem for these companies is staging their investment. They are constantly acquiring new customers, they are providing new services, the customers themselves want more facilities."
He continued: "You can quite see a situation in which, for straightforward commercial reasons a company decides to delay a little bit putting in an upgrade, it then has difficulties with the upgrade, it doesn't think about the changed security environment - hackers are using new techniques all the time - and that's the decision they have to make. It looks as though they have made some rather unfortunate decisions."
Prof Sommer, a visiting professor at De Montfort University's cyber security unit, said it was "not impossible" Islamic cyber terrorists were behind the attack, but it was more likely to be an attempt to extort money from TalkTalk or gain access to customers' personal information.
He said "It seems to me the suggestion that these are Islamic terrorists who are perpetrating it is unlikely, not impossible.
"One has to look at what is probably the most likely outcome. One of them is an extortion attempt, since they have gone public I suspect that's not going to work. The other one is just to get hold of the credit card information, get hold of the personal information."
