TalkTalk has admitted that the personal details of 156,959 customers were accessed in a cyberattack on its website last month.
In a statement on its website on Friday, the phone and broadband provider said its investigation with the Metropolitan police had allowed it to confirm the exact number of customers whose data had been compromised.
It said 15,656 bank account numbers and sort codes had been accessed and 28,000 obscured credit and debit card numbers had been obtained by hackers.
TalkTalk said customers could not be identified by the obscured or "orphaned" data, meaning they would not be able to be used to complete financial transactions.
"Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only 4% of TalkTalk customers have any sensitive personal data at risk," the company said in its statement, but advised customers to continue to be vigilant in protecting themselves from scam phone calls and emails.
Four people have so far been arrested in connection to the cyberattack, three of whom are teenagers:
— A 16-year-old from Norwich was arrested on Tuesday night and released on bail until late March 2016.
— A 15-year-old boy from County Antrim, Northern Ireland, was arrested on 27 October and bailed until an unspecified date in November.
— A 16-year-old from Feltham, southwest London, was arrested on 26 October and released on bail.
— A 20-year-old man from Staffordshire was arrested on 31 October and bailed until early March.
Customer Ben Galloway told BuzzFeed News after his details were stolen that TalkTalk was an "absolute joke of a company".
"I'm absolutely disgusted that TalkTalk don't have the proper data protection for other people to go ahead and get access to all my details," Galloway said. "There could be a fraud committed with my details."
Following the attack, TalkTalk was heavily criticised for its handling of the incident.
After CEO Dido Harding admitted that she did not know how much of the company's data was encrypted, it emerged that TalkTalk had allegedly ignored warnings that its online security was lacking.
A security consultant told The Times that he was "fobbed off" by TalkTalk when he suggested that more of its online information should be encrypted.
TalkTalk said it will be contacting all affected customers in the coming days, and has set up a website with information on the incident.
On the site Harding said: "On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that."
Laura Silver is a reporter for BuzzFeed News and is based in London.
Contact Laura Silver at firstname.lastname@example.org.
Got a confidential tip? Submit it here.