(Reuters) — British broadband provider TalkTalk said on Sunday it had hired defense company BAE Systems to investigate a cyber attack that may have led to the theft of personal data from its more than 4 million customers.

TalkTalk said on Friday it had received a ransom demand from an unidentified party for the attack, which has led to calls for greater regulation of how companies and public bodies manage personal data.

“BAE Systems are supporting us as we investigate this week's cyber attack,” a spokeswoman for TalkTalk said, declining to give further details due to the ongoing investigation.

A spokeswoman for BAE's Applied Intelligence division said the company's cyber-specialists were analyzing “vast quantities” of data to help establish how the breach happened and what information was stolen.

The Metropolitan Police Cyber Crime Unit is also conducting a criminal investigation into the attack.

While TalkTalk said on Saturday it did not believe the information accessed would enable hackers to steal money from its customers, British newspapers on Sunday carried stories of individuals who said callers posing as TalkTalk employees had taken money from their bank accounts.

Many customers took to social media to complain about their treatment following the attack, TalkTalk's third data breach this year, with media also reporting some had been told they faced hundreds of pounds in fees to leave the provider.

Britain's Information Commissioner watchdog, which can impose fines of up to £500,000 ($765,700), has said it is looking into the incident but security experts said the prevalence of cyber crime showed more needed to be done.

Data released by the Office for National Statistics this month showed there were nearly 2.5 million incidents of cyber crime in the year to June 2015.

Simon Moores, chair of the International eCrime Congress and a former government technology ambassador, said so far the commissioner had proved “somewhat toothless”.

“The Information Commissioner needs to have more powers to reflect the direction of travel ... at a time of rampant identity theft and exploitation of financial details,” Mr. Moores told Reuters.

He said Britain should give responsibility for information security to a single minister rather than have it spread across several government departments.

“You need to encourage a culture and a level of responsibility where all large organizations ... take serious ownership and responsibility for the privacy of people's financial and personal data rather than having a cavalier attitude, which we have seen in so many cases,” he said.