TalkTalk chief executive Dido Harding has admitted that the firm has major "lessons to learn" after the breach on its systems in October.
"I'm not going to pretend that I think TalkTalk got everything right," Harding told the House of Commons Culture, Media and Sport Select Committee, which has launched an inquiry into the incident.
"Clearly, you have to look back with the benefit of hindsight and say ‘If I had the time again would I have done more on security knowing what we know today?'. I think the only logical conclusion you can reach is of course. Would that have prevented the attack? I don't know."
Harding told committee chairman Jesse Norman that she accepted responsibility for the breach as the head of TalkTalk.
"I am accountable and responsible for security in the company. I was before this criminal attack and I am now. I think that cyber security is a board issue so as the chief executive I think it's appropriate that I'm responsible for it and our board takes it very seriously," she said.
Harding explained the complex nature of TalkTalk's security setup and that there are two separate teams operating independently.
"The security function role is to make sure the whole company is taking security seriously. It's providing an audit and assurance function as well as performing specific security tasks," she told the committee.
"The technology function that builds all of our systems and processes has a very large element of responsibility for security and that's separate from our security team because they actually implement the security standards and processes and policies.
"The responsibility for keeping our customers' data safe is split across a number of teams. It's impossible in a telecoms company to say that security only sits with the director of security."
Harding claimed that no board member at TalkTalk, or indeed any firm, can fully protect a company against modern cyber threats.
"If any of my other board directors were here today they would all say that none of us knows enough yet, and any board member or any chief executive who looks you in the eye and says they know enough about this subject means they haven't actually thought hard enough about it yet," she said.
"Cyber crime is the crime of our generation. It is growing exponentially, and we all need to learn more. On Pastebin, if you search for literally any consumer brand in the UK, you will find consumer data. I absolutely agree that all of us need to do more on this. You can see from TalkTalk's experience over the past 12 months that we've been doing more and more."
The first breach
Significant time during the committee hearing focused on TalkTalk's past breaches, yet Harding insisted that the most recent attack was actually the firm's first "cyber breach".
"This is the first successful cyber attack on TalkTalk's' systems and I would say that we are attacked every day in multiple different ways," she said.
An incident in August affected Carphone Warehouse, which is a third-party supplier to TalkTalk, and a more recent incident took place last year that Harding claimed was a "personnel issue".
"Carphone Warehouse, which is a supplier to TalkTalk and a number of other mobile retailers, was the victim of an attack so it wasn't a TalkTalk system that was breached it was a third-party supplier," she said.
"The reality for most businesses is that you are working with a lot of different third parties. Our approach is if there is any data breach affecting our customers our first priority is to look after our customers and we would expect our third parties to operate in exactly the same way."
Several arrests have been made in England and Northern Ireland since the October attack, and some of the suspects are under the age of 18.
Harding told the committee that the attack used sophisticated tools to break into the TalkTalk systems.
"We don't think it was a simple attack. We are attacked every single day and this is the first time we have been successfully attacked so I don't think it was a simple attack at all. It was a multi-faceted attack where the criminal succeeded in finding a needle in a haystack of haystacks," she said.
Harding pointed towards a recent incident at JD Wetherspoon that resulted in the loss of over 650,000 customer records and said that the TalkTalk breach was not as damning in comparison.
"While I don't wish in any way to diminish the scale of the impact on TalkTalk customers the actual scale of this attack in the end, once we were able to confirm the specific number of customers and the actual data that was stolen, was much smaller than we had first feared," she said.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal