Image copyright Reuters

TalkTalk has said it will only waive termination fees for customers wanting to end their contracts if money is stolen from them.

News that the TalkTalk website had been hit by a "significant and sustained cyber-attack" broke last week.

Consumer group Which? called the offer the "bare minimum".

The phone and broadband provider, which has more than four million customers in the UK, said bank details and personal information could have been accessed.

But credit and debit card numbers had not been stolen, it said.

"In the unlikely event that money is stolen from a customer's bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees," the company said on its website.

Compulsory encryption?

The executive director of consumer association Which?, Richard Lloyd, said: "This is the bare minimum from TalkTalk who should look at all the ways customers could lose out from having their data compromised.

"TalkTalk must treat their customers fairly by letting those affected leave their contracts without penalty and consider offering appropriate compensation."

At the weekend, TalkTalk's chief executive said the attack was "smaller" than originally thought.

Image copyright Reuters

Dido Harding said any credit card details taken would have been partial and the information might not have been enough to withdraw money "on its own".

Card details accessed were incomplete - with many digits appearing as an x - and "not usable" for financial transactions, it added.

Business leaders have called for urgent action to tackle cyber crime in the wake of the TalkTalk attack.

On Monday, MPs said an inquiry would be launched into the cyber-attack that could have put customers' details at risk.

Culture minister Ed Vaizey told the House of Commons the government was not against compulsory encryption for firms holding customer data.

Investigation

A 15-year-old boy arrested in Northern Ireland in connection with the TalkTalk hacking attack has been released on bail pending further inquiries.

The Metropolitan Police, which is investigating the attack, said a County Antrim house was searched on Monday.

The boy was arrested on suspicion of Computer Misuse Act offences.

He had been taken into custody at Antrim police station and was being questioned by detectives from the Police Service of Northern Ireland.

A police statement said this was a joint investigation involving the Police Service of Northern Ireland (PSNI), and detectives from the Metropolitan Police Cyber Crime Unit (MPCCU).

A criminal investigation was launched on Thursday.

Analysis: Kamal Ahmed, BBC business editor

Now, if I was a TalkTalk customer - and I'm not - I might be feeling a little cheesed off this morning.

The company has announced that it will not waive termination fees unless customers can show that they have lost money from their bank accounts "as a direct result of the cyber-attack".

And then only as a "goodwill gesture", rather than a contractual right.

TalkTalk says customers who have given out any other information - as a result, for example, of a scam call using the partial details from the hack - then that will not qualify.

Some customers might be angry at this high bar, but, for investors, TalkTalk's decision is perfectly understandable.

After its share price took a pounding yesterday, TalkTalk cannot afford to lose legions of customers to rivals.

By holding customers to their contracts - which can be over a year long - TalkTalk must hope that memories have faded by the time it comes to customers being given the option to switch.