TalkTalk - better than it feared

Small print matters. Some of TalkTalk's millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn't leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced two weeks ago that customers would only be able to leave if they could show a "direct impact" on their bank account - a pretty high bar - investors heaved a sigh of relief and TalkTalk's share price bounced up.

It was up again this morning - by more than 12% - as the half-year results revealed that TalkTalk was still expected to make £300m profit before tax this year. And that revenues were up 6%.

Yes, churn (that's the number of customers leaving compared with the number of customers joining) was up slightly, but when I interviewed Ms Harding she certainly suggested there was little evidence of a mass exodus.

"It's too early to tell how many customers will leave," she told me.

"What I can tell you is that the early signs are encouraging.

"We of course saw an immediate step up, a spike, in churn or customers cancelling their direct debits but actually after a few days we saw many of those customers reinstating their direct debits again."

Of course, as Ms Harding went on to say, time will tell. And let's not forget, TalkTalk's share price has fallen by more than 30% in a month.

Furthermore, these half-year results do not include the three weeks since the cyber-attack.

So, beyond the £35m up-front cost announced today, there is little visibility about the actual customer impact.

We will not know that until the company announces its full-year results next spring.

Ms Harding said it was impossible to say whether TalkTalk would ever be the victim of a criminal cyber-attack in the future.

"TalkTalk takes our customers security incredibly seriously," Ms Harding said.

"Clearly we've been spending more and more on security over the last few years, and a lot more over the course of the last three weeks and I expect to do ever more.

"The reality is that we have to keep building our security walls higher and higher, because these cyber criminals are building longer and longer ladders.

"This is not just about TalkTalk. This is the crime of our era, and we're committed to doing everything in our power to protect our customers."

TalkTalk is the "challenger brand" in the telecommunications market, up against the major players BT, Sky and Virgin.

And, as such, losing a lot of customers was not an enticing prospect.

Ms Harding took a calculated bet that by being very public about the cyber-attack, customers would at least see a chief executive who took this issue seriously.

"Three weeks ago we had a live criminal attack and a very credible ransom demand and I think we did exactly the right thing to go out early and warn our customers so that we could help make them safer, and they could protect themselves," she said.

"I think we did both the right and the responsible thing and I'm personally humbled by the number of customers who have personally taken the time to contact me directly, and tell me just that."

Some believe she went public too soon, before really knowing the impact of the breach on all of TalkTalk's four million customers.

When I asked her at the time if all TalkTalk's customer data were encrypted, she admitted that the "awful truth" was she didn't know.

Today I asked Ms Harding the same question. Her answer was rather more delphic.

"I can confirm that we're compliant with all encryption requirements for the industry, but actually it's not just about encryption," she said.

"So one of the reasons why none of our customers' credit card details were stolen in a way that means they can be used is because they were more than encrypted.

"They were what's called obfuscated - obscured. So that nowhere in the system did we actually hold all of their credit card number.

"I absolutely understand why people want to know what is and isn't encrypted, but in some cases you want to do more than encrypt data."

The TalkTalk cyber-attack has not been as calamitous as initially feared by the company.

Ms Harding will be hoping that by the time customers come to renew their contracts, it will be something of a distant memory.