Millions of people could have had their credit card and bank details stolen after a “significant and sustained cyber attack” on TalkTalk’s website.
Scotland Yard’s cyber crime unit is investigating after the telecoms giant said customers’ names, dates of birth, addresses and phone numbers may also have been accessed.
TalkTalk said it was “too early to say” how many of its four million UK customers had been affected by the attack, as the company urged users to change their passwords and check their bank accounts.
The Metropolitan Police confirmed it was investigating an allegation of data theft but no arrests had been made.
A TalkTalk spokesman said: “A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyber attack on our website yesterday.
“That investigation is ongoing, but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.
“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
The company’s chief executive Dido Harding said the “rapidly evolving threat of cyber crime” was affecting an “increasing number of individuals and organisations”.
She added: “We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here. As a precaution, we are contacting all our customers straight away with information, support and advice around yesterday’s attack.”
A TalkTalk spokeswoman said the company shut down its website after it became aware of the attack on Wednesday morning.
The latest breach is the third in a spate of cyber attacks affecting TalkTalk customers.
In August the company revealed its mobile sales site was hit by a “sophisticated and co-ordinated cyber attack” in which personal data was breached by criminals.
And in February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company’s computers.
One security expert said the latest breach could have “serious” consequences for TalkTalk’s customers and “destroy” trust in phone and broadband provider.
Jason du Preez, chief executive of data privacy company Privitar, said: “These hacks are not just embarrassing to the organisations involved. They can have really serious financial and personal consequences for your users, destroying consumer trust and loyalty.”
In a letter to customers, TalkTalk managing director Tristia Harrison said the company took “any threat to the security of our customers’ data very seriously”.
“Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent,” she said.
TalkTalk said it had contacted major banks which will monitor any suspicious activity from customers’ accounts and had informed the data protection watchdog, the Information Commissioner’s Office. It is also organising free credit monitoring for a year for all of its customers.
The company said any customers who notice unusual activity on their accounts should contact their bank and Action Fraud, the UK’s national fraud and internet crime reporting centre.
They have also been urged to change their TalkTalk account passwords and any other accounts which use the same passwords.