TalkTalk breach investigation leads to fourth arrest

Police investigating the data breach at U.K. telecommunications operator TalkTalk made their fourth arrest late Tuesday, as lawmakers launched their own inquiry into the case.

The Metropolitan Police Cyber Crime Unit and the National Crime Agency arrested a 16-year-old boy at an address in Norwich, England, after visiting it with a search warrant.

Police had previously arrested a 15-year-old boy from County Antrim, Northern Ireland, on Oct. 26, a 16-year-old boy in Feltham, England, on Oct. 29, and a 20-year-old man in Staffordshire on Oct. 31.

All four were arrested on suspicion of offenses under the Computer Misuse Act, and all have now been released on bail without charge while police continue their investigation.

Meanwhile, members of the U.K. Parliament’s Culture, Media and Sport Committee, which has responsibility for telecommunications and the Internet, have decided to hold their own inquiry into the protection of personal data online in the wake of the TalkTalk data breach.

The company has reported two other data breaches recently, one in December 2014 and one in February this year.

While the latest theft of customers’ personal data from the company is a sign that all is not quite right with the company’s online security, the most shocking thing about it is not the number of customers affected, but the way the matter has been handled.

Initially, it was feared that details of TalkTalk’s entire customer base had been stolen in an attack on the company’s website on Oct. 21.

The Information Commissioner, responsible for regulating personal data protection in the U.K., slammed the company in a radio interview on Oct. 23 for taking over 24 hours to inform his office, saying he wished he had been told sooner.

Going public with word of the attack before it had all the details, TalkTalk gave all its four million customers reason to worry.

But a week later, on Oct. 30, the company had narrowed down the leaked information to fewer than 21,000 unique bank account numbers and sort codes, fewer than 28,000 credit or debit card numbers (minus their six middle digits), and the dates of birth of fewer than 15,000 customers.

The hackers’ biggest catch seems to have been the names, email addresses and telephone numbers of up to 1.2 million customers, according to the company.

None of these pieces of information is likely to be sufficient in itself to defraud the affected customers, but could form the basis of a phishing attack to fill in the blanks that would allow funds to be withdrawn or a credit card charged.