Dutourdumonde - Fotolia

Police arrest a third person for TalkTalk hack

Metropolitan Police have arrested a third person, a 20-year-old man, in connection with the attack on TalkTalk that exposed the details of four million customers

Police have arrested a third person in connection with the distributed denial-of-service (DDoS) attack and suspected data theft from TalkTalk.

Detectives from the Metropolitan Police Cyber Crime Unit (MPCCU) and officers from the National Crime Agency (NCA) executed a search warrant at an address in south Staffordshire on 31 October 2015 and arrested a 20-year-old man on suspicion of Computer Misuse Act offences.

He has since been bailed to a date in early March 2016 pending further enquires.

Police said officers also searched a residential address in Liverpool and enquiries by the MPCCU supported by officers from the NCA's National Cyber Crime Unit are continuing.

On Thursday 29 October detectives executed a search warrant at an address in Feltham and arrested a 16-year-old boy on suspicion of Computer Misuse Act offences.

He has now been bailed to a date to be confirmed.

A 15-year-old boy from County Antrim, Northern Ireland, was arrested on 26 October by officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Cyber Crime Unit on suspicion of Computer Misuse Act offences.

He was taken into custody at a County Antrim police station and has since been bailed to a date in November 2015.

Detectives continue to investigative and have launched a joint investigation with the PSNI's Cyber Crime Centre (CCC) and the NCA.

The police investigation was launched when TalkTalk reported that its website had been hit by a “significant and sustained cyber attack”.

The phone and broadband provider, which has more than four million UK customers, said banking details and personal information could have been accessed.

It later emerged that TalkTalk’s website had been targeted by a DDoS and SQL-injection attack, raising fears that the DDoS attack was a smokescreen for data theft.

TalkTalk has engaged BAE Systems to investigate the cyber attack, and the company’s cyber specialists are reportedly analysing “vast quantities” of data to establish how the breach took place, and what information was stolen.

TalkTalk downplayed the impact of the breach, emphasising that only its website was attacked and not its core systems, which means only partial credit card numbers were exposed, making them theoretically useless to cyber criminals.

Read more about data breaches

TalkTalk's chief executive Dido Harding has said the scale of the attack was "much smaller than we originally suspected" but she said the company still needed to "work hard to earn back your trust".

The phone and broadband provider has said hackers accessed no more than 21,000 unique bank account numbers and sort codes, 28,000 obscured credit and debit card details, 15,000 customer dates of birth, and 1.2 million customer email addresses, names and phone numbers.

However, the company has come under criticism for not ensuring that all customer data was encrypted, with some customers reportedly planning to sue the company for compensation. Members of parliament said an inquiry would be launched into the cyber attack that could have put customers’ details at risk.

Read more on Privacy and data protection