UK phone and broadband provider TalkTalk may have once again left its customers exposed to hackers.
TalkTalk warned its 4 million customers on Thursday that attackers could have gained access to their names, addresses, credit card and bank details, dates of birth, phone numbers, email addresses and TalkTalk account information.
"Not all of the data was encrypted," the company acknowledged, meaning there would be no trouble reading it. However, the company is not certain any data was actually accessed from the attack, which happened Wednesday, TalkTalk said.
TalkTalk doesn't yet know who perpetrated the hack but has received a ransom demand from a group purporting to be behind it. "We can confirm that TalkTalk was contacted by someone claiming to be responsible and seeking payment," a spokeswoman told CNET.
The Metropolitan Police Cyber Crime Unit is investigating the attack but said that it has made no arrests and that investigation is ongoing.
This is the latest chapter in an increasingly familiar story of an sophisticated attacks on companies ranging from Target to Home Depot and Carphone Warehouse. For TalkTalk, it's the second hack in the past 12 months, following an incident last December. Even when customers aren't directly affected, they could see costs increase because the severity of attacks can.
The attack could also expose TalkTalk customers to the risk of identity theft and resulting fraud. Identity theft can let hackers impersonate people or companies, potentially using the information they have to trick others into handing over passwords and personal information that could leave their accounts exposed. TalkTalk warned customers to watch their bank accounts carefully for evidence of fraudulent activity, and it is offering a year of free credit monitoring.
The company tried to reassure customers that it's working to prevent such attacks. "TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cybercrime, impacting an increasing number of individuals and organisations," CEO Dido Harding said in a statment. "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here."
TalkTalk acknowledged that some of its data wasn't encrypted, but said, "We constantly review and update our systems to make sure they are as secure as possible."
HP Security criticized the company for not making encryption its priority.
"If data is left unprotected, it's not a matter of 'if' it will be compromised, it's a matter of 'when'," said Andy Heather, vice president at HP Security. Companies should assume that all security measures will fail and therefore focus on protecting the data itself. If TalkTalk had done this, he said, the "attackers would have ended up with unusable encrypted data."
TalkTalk has outlined on its website all the steps people might want to take to ensure they are as secure as possible.
Update, 6:50 a.m. PT: Comment from TalkTalk has been added.