TalkTalk hack – how to beat its exit fees, protect your finances & password help

At the time of the hack on Wednesday 21 October, the under-fire broadband, phone and TV provider – which has four million customers – said names and addresses, account information and banking details may have been accessed.

However, on 6 November, TalkTalk confirmed that the personal details of nearly 157,000 customers were accessed, and of those, more than 15,000 bank account numbers and sort codes were accessed. See the 'What's the latest on the investigation?' section below for more information.

Here's what both old and new customers need to know about the entire situation.

How to leave TalkTalk penalty-free

TalkTalk's official line is you can escape penalty-free ONLY if you've had money stolen as a direct result of the hack. The charge to exit early depends on your deal and how long you've left of your contract but it can be in the £100s. But there are possible ways round this.

Step 1. When TalkTalk will let you leave penalty-free

• If you're out of contract you can leave penalty-free anyway. TalkTalk customers who are no longer in their initial contract term (typically 12-18 months) can walk away without penalty. Usually it's 30 days' notice to leave, but if switching it usually allows you to go once it's had the request from the new provider. See our Cheap Phone and Broadband and Cheap Digital TV guides for the top alternative deals.

• If you can prove fraud it may let you go.Here's how. If you're still in-contract, TalkTalk will waive the penalty to switch "on a case-by-case basis" if customers had money taken from their bank or credit card account as a direct result of the hack on or after Wednesday 21 October. To get the fee waived you must have contacted Action Fraud and got a Crime Reference Number. Then write to Crime Notification, The Legal Department, TalkTalk Group, PO Box 346, Southampton SO30 2PW.

Step 2. How to challenge TalkTalk's fee if it won't let you leave without penalty

While TalkTalk is playing hardball, don't automatically give up if you're desperate to leave due to concerns about the security of your data.

Leading consumer lawyer Mike Dailly, from the Govan Law Centre, told MoneySavingExpert there may be a case to argue against the fee under the Unfair Terms in Consumer Contract Regulations 1999.

He says: "If TalkTalk insists on imposing early termination fees, these could be challenged by way of small claims actions in court. [The regulator] Ofcom also has the power to take legal action against TalkTalk from imposing early termination fees here."

An Ofcom spokesperson says it is "too early to say" if TalkTalk customers should be able to leave penalty-free.

We've done our bit and pored over TalkTalk's small-print, and found three pieces of information that could leave it open to claims from customers who want to escape:

• Its privacy policy states: "We will only share your information with organisations outside TalkTalk with your consent if we are using information for a purpose other than as set out in this Privacy Policy."

• Its terms and conditions state: "We take privacy very seriously. We're committed to protecting and preserving any information you give to us and to being transparent about what information we hold and how we use it. We'll only use your information in accordance with our privacy policy, which you agree to by ordering or using a service."

• Its T&Cs also state: "You have other legal rights, including the right to bring a claim for breach of contract for six years from the date of breach."

So try sending or reading out this template statement to its customer services (contact details below) to escape TalkTalk's early termination fee:

Your privacy policy states my information will only be shared with organisations outside TalkTalk with my consent, and your terms and conditions state you take privacy seriously and are committed to protecting and preserving my information.

As your terms and conditions also state I can bring a claim for breach of contract within six years of the breach, as I consider this massive cyber-attack, and the strong possibility my data was compromised, as a breach, I demand you allow me to exit my contract penalty-free.

Step 3. How to get in contact with TalkTalk

You can call it on 020 3441 5550, view its complaints page (which includes a link to email it via its site) or write to it at TalkTalk Correspondence Dept, P.O. Box 346, Southampton, SO30 2PW (note the subtle difference in address to that for those hit by fraud.

TalkTalk website hacked: what you need to do now

If you stay put, it's an opportunity to haggle

The saga is an invitation to haggle as TalkTalk will be desperate to keep customers happy, especially if you're close to the end of your deal (our last poll found 83% of TalkTalk customers who tried haggling succeeded).

One such success came from Arthur, who emailed us: "Following Martin's advice I have haggled with TalkTalk and have negotiated 12 months' free broadband. Thank you Martin."

See TalkTalk haggling tips.

Am I due compensation because my data has been stolen?

TalkTalk currently says it's not in a position to make any decision about compensation.

Yet if you're unhappy about the attack, complain to TalkTalk in the first instance. You can use the free Resolver* tool to do this. If complaining to TalkTalk doesn't work, take your case to the free, independent Ombudsman Services. Also see our How to Complain guide for your rights.

The Sunday Times reported (you must pay to read its full article) over the weekend that TalkTalk could face claims from customers who want to take it on of £1,000 each.

It quoted Vinod Bange, a partner at law firm Taylor Wessing, as saying: "It is likely that a breach of this magnitude could result in thousands of individual claims for distress."

The steps every TalkTalk customer should take to protect themselves

• Check your bank or credit card account for fraud. Monitor the account registered with TalkTalk over the next few months. If you see anything unusual, contact your bank and Action Fraud on 0300 123 2040 or via www.actionfraud.police.uk as soon as possible.

• Check your credit file in case anyone's stolen your ID. The credit reference agencies can tell you if anyone's tried to open accounts in your name. Check for free – see our Credit Report guide.

  TalkTalk's also offering customers 12 months' free credit monitoring with credit agency Noddle (using code TT231). Noddle is normally free, but TalkTalk customers get an "upgrade" where they're sent email alerts every time there's a "significant change" to their report.

• Change your passwords as soon as possible. The TalkTalk website's still down and will be until TalkTalk's "completely confident it is secure". But as soon as you can, change your password – even though TalkTalk says 'My Account' passwords weren't taken, it's a sensible precaution. If you use the same or a similar password elsewhere, change these too – see Martin's Easy Password Tricks blog for passwords help.

• Don't disclose your data – cold calls/emails will be a scam. If you're contacted by anyone asking you for personal data or passwords (such as for your bank account), it's likely to be a scam. TalkTalk says it will never call to ask customers to provide bank details or passwords, or ask you to download software. See our 30 Ways to Stop Scams guide.

Further Q&As

Here are the answers to more questions you've been asking.

What data was taken?

On Friday 6 November, TalkTalk revealed how many customers were affected and what information was accessed. It said:

• The personal details of 156,959 customers were accessed. This includes names, addresses, date of births, telephone numbers and email addresses.

• Of these, 15,656 bank account numbers and sort codes were accessed – TalkTalk says this information wasn't encrypted, meaning it was visible in full.

• 28,000 obscured credit and debit card details were also accessed (the middle six digits had been removed).  

It added that the scale of the attack "was much more limited than initially suspected" and it confirmed that "only 4% of TalkTalk customers have any sensitive personal data at risk".

TalkTalk said it's still working with police and cyber security specialists to understand exactly what happened.

Reports have emerged of TalkTalk customers having their bank accounts raided – but it's not clear whether this is related to this hack.

What's the latest on the investigation?

The Culture, Media and Sport Committee announced on Wednesday 4 November that it will hold an inquiry into the circumstances surrounding the TalkTalk data breach and the wider implications for telecoms and internet service providers. It expects to hear evidence later this month.

The influential Treasury Committee also said it would continue its work on cybercrime following the TalkTalk hack. Andrew Tyrie, Treasury Select Committee chairman, said: "The recent cyber hack and theft of customer's personal data at TalkTalk is only the latest of a number of reminders of this [cybercrime threat being one of the biggest concerns in financial services].

"The Committee will be examining these issues at the earliest reasonable opportunity. It will take evidence on how the problems occurred, the current level of protection for consumers, and the wider implications for the financial sector."

Since Monday 26 October, four people have been arrested in connection with the TalkTalk hack, on suspicion of Computer Misuse Act offences. They have since been released on bail.

Is this the first TalkTalk data breach?

This is the third time TalkTalk's data's been breached this year. In August, Carphone Warehouse discovered the personal details of up to 2.4 million customers may have been accessed by hackers. The IT systems hacked provided services to TalkTalk Mobile. There was also a data breach back in February this year.

As a result of the latest data breach, TalkTalk's site is currently down, and potential customers aren't able to purchase any of its products.

'We take any threat to the security of our customers' data very seriously'

A TalkTalk spokesperson says: "We are continuing to work with leading cybercrime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

"We would like to reassure you that we take any threat to the security of our customers' data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent."

This article was first published on Friday 23 October and was last updated on Friday 6 November. We'll keep updating the article as we get more information.