Police "advised" TalkTalk against warning its consumers about the cyberattack on its site. CEO Dido Harding has said that Scotland Yard advised the company to keep the attack a secret so that detectives could carry out their investigation and arrest those responsible.
Harding was answering questions at the House of Common Culture, Media and Sports Committee. On the 36-hour cyber-attack on her site, she said, "one of the most difficult periods for the TalkTalk board and for me personally. I was clear by the lunchtime on the Thursday (October 22) that the sensible thing to do to protect my customers was to warn all of them because I could help make them safer. I could give them free credit monitoring, I could warn them not to accept these scam calls.
"For completely understandable reasons, the advice we received that Thursday afternoon from the Metropolitan Police was not to tell our customers."
The company later confirmed that a total of 156,959 customers had their personal details accessed by the hackers. Around 15,656 bank account numbers and sort codes were stolen and 28,000 credit and debit card numbers were obscured and cannot be used for financial transactions.
Five people, of whom four are teenagers, have been arrested in connection with the attack, so far. The last to be arrested was an 18-year-old from Llanelli, South Wales. He was taken into custody at the Dyfed-Powys police station on 24 November on suspicion of blackmail.
Harding added: "I totally understand why the police wanted us to stay quiet, because they have got a different objective - they want to catch the criminals and you sort of want the police to catch the criminals - and we had some very constructive discussions with them throughout that afternoon and into the early evening on how to marry the conflicting objectives of a company wanting to look after their customers and the police force rightly wanting to catch the criminals.
"So I can completely understand if other companies have faced a similar instance they could well have chosen to take a different path, either to pay the ransom or just to keep quiet."
The company also revealed it received a ransom demand following the cyberattack, reports Press Association.
Harding agreed with Damian Collins, Tory Folkestone and Hythe MP that the UK's customer protection and notification system was quite weak, as the internet service providers (ISPs) are the only firms required to tell the Information Commissioner's Office (ICO) about data loss. While defending the company's security arrangement, she said that hackers had "found a needle in a haystack of haystacks" and that cybercrime is "the crime of our generation".