Dutourdumonde - Fotolia
Detectives from the Metropolitan Police Cyber Crime Unit (MPCCU) and officers from the National Crime Agency (NCA) executed a search warrant at an address in south Staffordshire on 31 October 2015 and arrested a 20-year-old man on suspicion of Computer Misuse Act offences.
He has since been bailed to a date in early March 2016 pending further enquires.
Police said officers also searched a residential address in Liverpool and enquiries by the MPCCU supported by officers from the NCA's National Cyber Crime Unit are continuing.
On Thursday 29 October detectives executed a search warrant at an address in Feltham and arrested a 16-year-old boy on suspicion of Computer Misuse Act offences.
He has now been bailed to a date to be confirmed.
A 15-year-old boy from County Antrim, Northern Ireland, was arrested on 26 October by officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Cyber Crime Unit on suspicion of Computer Misuse Act offences.
He was taken into custody at a County Antrim police station and has since been bailed to a date in November 2015.
Detectives continue to investigative and have launched a joint investigation with the PSNI's Cyber Crime Centre (CCC) and the NCA.
The police investigation was launched when TalkTalk reported that its website had been hit by a “significant and sustained cyber attack”.
The phone and broadband provider, which has more than four million UK customers, said banking details and personal information could have been accessed.
It later emerged that TalkTalk’s website had been targeted by a DDoS and SQL-injection attack, raising fears that the DDoS attack was a smokescreen for data theft.
TalkTalk has engaged BAE Systems to investigate the cyber attack, and the company’s cyber specialists are reportedly analysing “vast quantities” of data to establish how the breach took place, and what information was stolen.
TalkTalk downplayed the impact of the breach, emphasising that only its website was attacked and not its core systems, which means only partial credit card numbers were exposed, making them theoretically useless to cyber criminals.
Read more about data breaches
- Hackers may have accessed the payment card details of up to 3,500 customers, warns finance publisher Dow Jones
- The HIV clinic data breach comes after repeated warnings in recent years by the ICOabout the risk of disclosing personal data through poor email practices
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all
TalkTalk's chief executive Dido Harding has said the scale of the attack was "much smaller than we originally suspected" but she said the company still needed to "work hard to earn back your trust".
The phone and broadband provider has said hackers accessed no more than 21,000 unique bank account numbers and sort codes, 28,000 obscured credit and debit card details, 15,000 customer dates of birth, and 1.2 million customer email addresses, names and phone numbers.
However, the company has come under criticism for not ensuring that all customer data was encrypted, with some customers reportedly planning to sue the company for compensation. Members of parliament said an inquiry would be launched into the cyber attack that could have put customers’ details at risk.