The digital burglary at 118 118 Money exposed recordings of customer service calls that included a raft of personal information although thankfully not payment data.
As revealed last week, the parent company of the personal loans and credit card provider – the sister business of the better-known UK directory enquiries service – pulled its website offline after spotting an unauthorised intruder.
At the weekend, it wrote to customers again to inform them that a person or persons were identified on its network on 20 March and "recordings of customer service calls were accessed by the criminals responsible for the cyber attack".
"For those customers who have called our customer service line, certain pieces of personal data could potentially be affected," the letter continued. "This could include your name, address and date of birth or other personal information that was discussed as part of the call with our customer service team."
Given the data was contained in the form, "it would be extremely time consuming for anyone to attempt systematically to extract or copy your personal information."
So that's OK then. Of course, the company is sorry for the incident and takes "the protection of your confidential and personal information extremely seriously".
118 118 Money said the database itself was not broken into, and "as soon as we became aware of the situation, we took the immediate step of taking our network offline and working with cyber security experts to ensure the security of both our network and data." ®
The Information Commissioner's Office was notified of the breach and a report was dispatched to the National Cyber Security Centre for further probing.
The website remains out of service a week after it was pulled offline on 23 March.
"We are making every effort to reintroduce our services and will provide full access to our Mobile App and services as soon as possible," the letter to customers added.
Despite saying there is a "low risk to your data being used fraudulently", 118 118 Money offered customers "complimentary access" to Experian's Identity Plus ID fraud monitoring service for 12 months.
The business warned customers that phishing scammers may contact them via the phone or web, and that any such attempts should be reported to Action Fraud. ®
Sponsored: Webcast: Ransomware has gone nuclear