It said the personal details of 156,959 customers were accessed in the breach of its website, including the bank account numbers and sort codes of 15,656 customers – that compares with an estimate of “less than 21,000” published by the company on 30 October.
In addition, 28,000 “obscured” credit and debit card numbers were accessed, but TalkTalk said these cannot be used for financial transactions because the middle six digits had already been removed and customers cannot be identified by the stolen data.
“Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only 4 per cent of TalkTalk customers have any sensitive personal data at risk,” said the firm, which is continuing its investigations with the Metropolitan Police.
“However, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails.”
TalkTalk added: “It was a difficult decision to notify all our customers of the risk before we could establish the real extent of any data loss. We believe we had a responsibility to warn customers ahead of having the clarity we are finally able to give today.
“We have now contacted all customers who have had financial details accessed, reiterating our advice on what to do to keep themselves safe. The financial information accessed cannot on its own lead to financial loss. We will be contacting all other affected customers in the coming days.
“We want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information.”