Customer data stolen in TalkTalk hack attack Published duration 27 February 2015

image copyright PA image caption The stolen data was used by scammers to trick people into handing over bank details

TalkTalk customers are being warned about scammers who managed to steal account numbers and names from the company's computers.

In an email sent to every customer, TalkTalk said scammers were using stolen information to trick people into handing over banking details.

TalkTalk said it had sent the email to every customer although only a few thousand account numbers went astray.

It has set up a dedicated phone line for customers targeted by the scammers.

The theft of data was unearthed when TalkTalk investigated a sudden rise in complaints from customers about scam calls between October and December 2014, said a spokeswoman.

Legal action

"We have now concluded a thorough investigation working with an external security company, and we have become aware that some limited non-sensitive information may have been illegally accessed in violation of our security procedure," she said.

The attackers got at some of TalkTalk's internal systems via a third-party that also had access to its network. Legal action is now being taken against this unnamed third party.

The information stolen included names, addresses, phone numbers and TalkTalk account numbers. The company was confident that no sensitive or payment data went astray in the hack.

"We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," said a statement from TalkTalk. It would not put an exact figure on the number affected but said it was in the "small thousands". The company currently has about four million customers.

The scammers appear to be using the stolen details to trick people into thinking calls are coming from legitimate TalkTalk customer service staff. People are then tricked into handing over bank details or into signing up and paying for security software and services they do not need.

Although TalkTalk said it became aware of the data loss late last year, the BBC has been contacted by one customer who said the scammers working to a similar pattern called in August. His wife's familiarity with computers helped her quickly spot that the call was fake.

"They said our computer was infected with a virus and used various social engineering techniques to try to get more info, but she's pretty clued up," said Richard Lee-Williams from Wales.

"Over the following few days she got several more calls but from a different person each time trying the same trick," he said.

image copyright Eyewire image caption Scammers used TalkTalk account details to trick people into buying security software they did not need

At the time TalkTalk was "dismissive" of the complaint Mr Lee-Williams made about the scam.

A TalKTalk spokeswoman said without more details it was hard to know if the same conmen were involved in the August and December attacks. She invited Mr Lee-Williams to contact TalkTalk to resolve his complaint.

Customers who have been hit by the scammers can call a dedicated number, 0800 083 2710, to get help from the telecoms firm.

Some reports suggest customers have lost thousands to the scammers. Many TalkTalk customers have taken to the company's support forums to report that they have been contacted by the scammers.

Customers who have been caught out should contact their bank, said the firm. It added that it was working with the Information Commissioner's Office to identify the scammers and stop them targeting customers.

Security expert Graham Cluley described the breach as "very worrying".

"Rumours of a TalkTalk data breach have been bubbling up since December, but this is the first official confirmation that a serious incident has occurred," he said.

"Unfortunately, it's unlikely that scammers and fraudsters are only targeting TalkTalk - there is a good chance that other telecoms companies have also been on the receiving end of attacks from hackers eager to steal customer data," he added.

"Everyone needs to be on their guard for unsolicited emails and phone calls," said Mr Cluley. "If in doubt, go the extra mile to confirm that the person contacting you is legitimate."