Police 'advised TalkTalk not to warn customers about cyber attack'
Police advised telecoms giant TalkTalk not to warn its customers about a cyber attack that resulted in personal data being stolen, the firm's chief executive said.
Dido Harding said Scotland Yard advised the company to keep the attack, which included a "credible" ransom demand she received via email to her personal account, a secret so detectives could attempt to find those responsible.
It comes after TalkTalk was criticised by figures including Information Commissioner Christopher Graham following the attack on the morning of October 21 for not warning its four million customers about what had happened until late on the following day.
Mrs Harding also told MPs on the Commons culture, media and sport select committee there was a "risk" other firms had suffered a similar attack and ransom demand - but never revealed it because legislation does not require them to.
Describing the 36 hours after the attack as "one of the most difficult periods for the TalkTalk board and for me personally", she said: "I was clear by the lunchtime on the Thursday (October 22) that the sensible thing to do to protect my customers was to warn all of them because I could help make them safer. I could give them free credit monitoring, I could warn them not to accept these scam calls.
"For completely understandable reasons, the advice we received that Thursday afternoon from the Metropolitan Police was not to tell our customers.
"I totally understand why the police wanted us to stay quiet, because they have got a different objective - they want to catch the criminals and you sort of want the police to catch the criminals - and we had some very constructive discussions with them throughout that afternoon and into the early evening on how to marry the conflicting objectives of a company wanting to look after their customers and the police force rightly wanting to catch the criminals.
"So I can completely understand if other companies have faced a similar instance they could well have chosen to take a different path, either to pay the ransom or just to keep quiet."
TalkTalk revealed it had been the subject of a cyber attack later on October 22 and confirmed it had received a ransom demand the following day.
Mrs Harding, who sits as Conservative peer Baroness Harding of Winscombe in the House of Lords, agreed with Tory Folkestone and Hythe MP Damian Collins that the UK customer protection and notification system was "quite weak" because internet service providers (ISPs) are the only firms obliged to tell the Information Commissioner's Office (ICO) about data loss.
Mr Collins said: "The story you have painted, there must be a risk though that other companies, maybe not ISPs, but that (are) holders of significant amounts of data, who receive an email like the one you received asking for a ransom to be paid and they pay it and no one would be any the wiser?"
Mrs Harding replied: "I think there is that risk."
The TalkTalk boss defended her company's security arrangement, saying that the hackers had "found a needle in a haystack of haystacks" and reiterated her belief that cybercrime is "the crime of our generation".
She told MPs that the total number of customers whose personal details were accessed was 156,959, some 4% of its customer base, and the data could not be used alone to cause financial loss.
Five people, including four teenagers, have been arrested in connection with the attack.