Business leaders have called for urgent action to tackle cyber-crime after an attack on TalkTalk, calling it one of the biggest threats facing companies.
The Institute of Directors (IoD) said only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”.
The government replied by saying it was “committed to tackling cyber-crime”.
It comes as police are investigating a ransom demand from a group purporting to be behind the TalkTalk attack.
The phone and broadband provider revealed on Thursday it had been subject to a cyber-attack in which the personal and banking details of up to four million of its customers may have been accessed by hackers.
The company has said it does not know how much of the customer information was encrypted.
There have been some reports of TalkTalk customers seeing suspicious activity on their bank accounts but so far no confirmation of fraud relating to the hack.
The Metropolitan Police has said the ransom demand would form part of its investigation, which is at an early stage and no arrests have been made.
Cyber-crime consultant Adrian Culley told BBC Breakfast the hackers had obtained “high-value” data and it was “going to take time to fully investigate” the attack.
He said he had already seen online what “very much appears to be genuine” TalkTalk customer bank details.
He said those who uploaded the data had redacted account numbers but published customers’ bank sort codes.
The BBC has been contacted by a number of TalkTalk customers unhappy about the company’s response to the attack.
Several said TalkTalk was failing to keep them informed about what had happened and what it was doing about it. “The silence is deafening,” one customer, Frank Wilde, said.
Others said they had lost confidence in the company and complained about its refusal to waive early-exit charges for those who wished to end contracts early because of the attack.
TalkTalk chief executive Dido Harding told the BBC on Friday: “Waiving standard terms and conditions is not something sensible I can do today.”
The company said it would consider requests on a case-by-case basis later when more information was known.
Former home office minister Hazel Blears said the TalkTalk data breach was “a wake-up call”. She said it should prompt a debate about whether further regulation was needed “because this is probably the biggest threat to our economy”.
IoD senior corporate governance adviser Oliver Parry urged the police to make cyber-crime an “urgent priority and investigate theft of data just as it would theft of physical property”.
He said companies should review risks regularly to “ensure they know where the potential threats are coming from and are prepared in case the worst happens”.
BBC technology correspondent Rory Cellan-Jones said TalkTalk had apparently fallen victim to a simple hacking trick known as an SQL injection, which it should have been able to protect against.
TalkTalk said it could not confirm this was the technique used.
What should you do if you think you’re at risk?
- Report any unusual activity on your accounts to your bank and, if you are in England, Wales or Northern Ireland, to the national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 orwww.actionfraud.police.uk. If you are in Scotland, call Police Scotland
- TalkTalk is advising customers to change their account password as soon as its website is back up and running and any other accounts for which you use the same password
- Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password
Labour MP Keith Vaz, chairman of the Home Affairs Select Committee, told the BBC he would be writing to TalkTalk chairman Sir Charles Dunstone to ask for a “timeline as to what they did” when the attack was discovered.
He said the company should have informed its customers “immediately” and said TalkTalk’s explanation that it had done so within 36 hours “would not be regarded by the public as acceptable”.
The company has said its website is now secure again, and that TV, broadband, mobile and phone services were not affected by the attack.
However, the sales website and “my account” services are still down, despite the company having hoped to restore them on Friday.
TalkTalk said there was a chance that some of the following customer data had been accessed:
- Names and addresses
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Credit card and bank details
This is the third time this year that TalkTalk has been targeted by hackers.
In August, the company revealed its mobile sales site had been targeted and personal data breached.
And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names. The attacks are understood to be unrelated.
Google and McAfee estimate there are 2,000 cyber attacks every day around the world, costing the global economy about £300bn a year.