Nine days after the suspected hacking of their website, TalkTalk has finally confirmed the real extent of the data breach.
While the company struggles to spin the line that this is "significantly less than originally suspected" , nobody should underestimate the very serious and significant loss of personal information.
The company has confirmed to me that up to 21,000 customers bank account details were held on the site unencrypted and that they were held on parts of the website targeted by suspected hackers.
What's more, they say "fewer than" 1.2 million email addresses, names and phone numbers were also accessed.
I take this to mean that a figure approaching a million customers details could now be in the hands of criminals.
TalkTalk needs to start talking about just why all this information was held without encryption, which would have rendered it useless to hackers.
It also needs to start talking to the one in four of its customers who are now confirmed to be part of this massive and potentially highly damaging affair.