Last week, TalkTalk - one of the UK's largest providers of broadband, landline and pay-TV services - revealed that its website had been targeted by a "significant and sustained cyberattack". It also said that some customer information, including banking details, "may have been accessed".
An investigation - led by London's Metropolitan Police Cyber Crime Unit (MPCCU) - resulted in the arrest of a 15-year-old boy in Northern Ireland on Monday, and now a second teenager has been arrested in London.
MPCCU detectives gained a warrant to search an address in the west London suburb of Feltham yesterday, and arrested a 16-year-old boy on suspicion of offences related to the Computer Misuse Act. He has since been bailed.
In addition to the investigation at the property in Feltham, police have also searched a residential address in Liverpool, northwest England. The MPCCU is continuing its enquiries in conjunction with the Police Service of Northern Ireland and the UK's National Crime Agency.
Meanwhile, TalkTalk has disclosed further information about the extent of the data breach today. The company says that "less than 1.2 million customer email addresses, names and phone numbers" were affected, adding that "the extent of the data accessed is significantly less than originally suspected", including:
- Less than 21,000 unique bank account numbers and sort codes
- Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)
- Less than 15,000 customer dates of birth
But while TalkTalk attempts to downplay the severity of the breach, Chris Choi from ITV News says the company has admitted to him that those 21,000 customers' banking details were not encrypted:
TalkTalk says it has "shared the affected bank details with the major UK banks so they can take their usual actions to protect customers' accounts", adding that it will begin writing to those affected customers today.