TalkTalk has confirmed that customer data has been leaked and criminals are using it successfully to scam and defraud affected people of thousands of pounds.
The broadband and phone company, which has over four million customers, says data including addresses, account information and phone numbers were leaked when a third party contractor - that had legitimate access to its system - was involved in a data breach during 2014.
TalkTalk says it has begun legal action against the third-party.
"We have become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," the company said in a statement.
"We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected."
A TalkTalk spokesman would not confirm how many of its customers had been impacted, repeating that the number was "small, but significant" and that its in-house security team had been monitoring the situation, adding that the number of people affected was no where near the millions.
The company has however emailed its millions of customers as a precaution advising them on the possibility of scams and telling them which channels it would use to officially contact them and verify their account information.
Bank accounts attacked
While no bank details have been leaked directly, TalkTalk customers have had money stolen from their accounts indirectly, after online criminals used the stolen data to contact customers and trick them into giving hackers access to their bank accounts.
One such customer, Graeme Smith from County Durham spoke to the Guardian, reporting that the criminals were able to transfer almost £3,000 out of his Santander bank account.
The criminals called Smith pretending to be an Indian-based TalkTalk customer support centre and tricked him into downloading a piece of software onto his computer which was used to steal £2,815 from account, sending it to an account in the name of money transfer service TransferWise.
Smith said it was too late when he realised there was a problem:
"I still did not want to close down my computer for fear of losing information but I decided to visit my local cash machine to check my bank account. Instead of receiving a credit of £250 there was a deduction listed as "bill payment" of £2,815.
"I knew then that I had been scammed and these people were fraudsters. I hurried home and the first thing I did was hang up my landline, dial 1471 to check the receiving telephone number (it was a Malaysian number) so I then closed down my computer altogether. I called TalkTalk who confirmed that I had not received an official call today. I then called my bank and reported the theft of £2,815."
The TalkTalk spokesperson told IBTimes UK that this was the worst situation the company had seen to date.
Santander has said it will not be refunding Smith's money, saying: "While we appreciate this was a sophisticated scam, Mr Smith gave personal details by confirming the One Time Passcode to the fraudsters and thus validating and authorising the transfer of funds."
TalkTalk says it has "taken serious steps" to fix the situation and it continues to work with the Information Commissioner's Office.
"We want to help our customers protect themselves from scams so we are writing to all customers again to warn them about this criminal activity, with full advice, support and a reminder of the many free services TalkTalk offers to try to stop malicious scams reaching them."