Nearly 157,000 British Internet users had their personal details accessed in a cyber-attack last month, provider TalkTalk said in a statement Friday.
Among the data included the bank account details of 15,000 people.
Police have arrested four people aged between 15 and 20 at addresses across England and Northern Ireland in connection with the attack. All have been released pending inquiries.
TalkTalk, which had feared up to 4 million customers have been affected, said: “Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected and we can confirm that only 4 percent of TalkTalk customers have any sensitive personal data at risk.”
The details of 28,000 credit cards were also accessed. TalkTalk said these could not be used for financial transactions as it was not possible to link customers to the cards.
A parliamentary investigation into the attack has been launched, along with the wider question of online security.
The company previously confirmed it had received a ransom note demanding money to prevent the release of customer data, although it was not known if the note was genuine.