Bloomberg
The British telco, which has over four million phone and broadband customers, said on its website that full credit card and bank card details had not been obtained in the attack.
Customer bank details and personal information may have been accessed, but sensitive financial information had been protected, it added.
"In the unlikely event that money is stolen from a customer's bank account as a direct result of the cyberattack (rather than as a result of any other information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees," TalkTalk wrote.
Dido Harding, chief executive of TalkTalk, said that if any credit card information had been stolen then it would be partial and not enough to withdraw money "on its own."
Many of the digits in any stolen credit card numbers would appear as an "x," TalkTalk said, making the stolen information useless in financial transactions.
A 15-year-old boy has been arrested in Northern Ireland in connection with the hack.
In a statement, the Metropolitan Police said: "At approximately 4.20pm [on Monday], officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Metropolitan Police Cyber Crime Unit, executed a search warrant at an address in County Antrim, Northern Ireland.
"At the address, a 15-year-old boy was arrested on suspicion of Computer Misuse Act offences."
TalkTalk shares were down nearly 9% on mid-Monday morning, but they have risen following the arrest.