TalkTalk hack to cost up to £35m

The cyber-attack on TalkTalk could cost it up to £35m in one-off costs, the company has said.

Following the hack, which divulged some users' financial details, all customers of the telecoms group will be offered a free upgrade.

Chief executive Dido Harding said that despite the hack, TalkTalk was "well positioned to deliver strong and sustainable long-term growth".

The firm expects full-year results to be in line with market expectations.

TalkTalk shares had jumped more than 13% by the close of trade on Thursday, but were still down more than 20% compared with their pre-hack value.

Speaking to the BBC, Ms Harding said: "The estimated one-off costs are between £30m and £35m - that's covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result."

She added that in recognition of the uncertainty that this had caused customers, they would be offered an upgrade.

A spokesperson said the type of upgrade offered would depend on the kind of package customers already had. For example, customers with TV packages might be offered a sports channel that they did not already have.

Customers who were financially affected directly will be free to leave TalkTalk without financial penalty. They would have to be able to show they had lost money as a result of the hack.

Customers who wish to leave for a different reason - for example, if they feel their data is not secure - would still have to pay a contract termination fee.

Analysis

BBC Business editor Kamal Ahmed

Small print matters. Some of TalkTalk's millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn't leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced two weeks ago that customers would only be able to leave if they could show a "direct impact" on their bank account - a pretty high bar - investors heaved a sigh of relief and TalkTalk's share price bounced up.

It was up again this morning - by more than 12% - as the half-year results revealed that TalkTalk was still expected to make £300m profit before tax this year. And that revenues were up 6%.

Read Kamal's blog here.

On 21 October, hackers attacked TalkTalk's website, stealing confidential customer data.

The firm was initially uncertain as to the extent of the hack, but after an investigation it said last week that 157,000 of its customers' personal details had been accessed.

More than 15,600 bank account numbers and sort codes were stolen. Four people have been arrested and bailed in connection with the hack.

Ms Harding told the BBC that it was "too early to tell" what the longer-term impact of the breach would be on the business.

"We of course saw an immediate spike in customers cancelling their direct debit, but actually after a few days we saw many of those customers reinstating their direct debits again, so time will tell, but the early signs are that customers think we are doing the right thing," she told BBC business editor Kamal Ahmed.

Paula Barrett, a partner at law firm Eversheds, said preventing cyber-attacks costs money, but not preventing them costs more.

"Today's announcement reinforces how significant the cost impact of this sort of event can be. There can be a very long cost tail to these scenarios, which may run for years as new systems and processes have to be adopted and claims handled," she said.