TalkTalk confirmed on Saturday afternoon that incomplete bank details were lifted by crims, even though its core systems were not targeted in the attack on its business earlier this week.
The budget telco said that its website had been plundered by malefactors.
However, TalkTalk claimed that complete credit card details of its customers had not been stored on the site.
"Any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions, eg '012345xxxxxx 6789It'," it said in a statement.
TalkTalk – which had warned its four million customers that all of their data may have been exposed to wrongdoers, following the attack – said that it was continuing to work with Scotland Yard's cyber crime unit.
The company added that its TalkTalk "My Account" passwords had not been stolen during the raid on its website.
It also attempted to downplay claims that customer bank details had been swiped in the attack. TalkTalk said:
We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account.
TalkTalk advised its subscribers to change their passwords and report any suspicious activity on their bank accounts to the UK’s national fraud and internet crime reporting centre. ®
The Register has created a timeline of TalkTalk's contradictory comments following on from the initial announcement of a website outage.