UK police have arrested a second teenager in their investigation of an attack on the website of telecommunications operator TalkTalk that may have exposed the personal data of millions of customers.
The arrest of the 16-year-old boy in Feltham, England, on Thursday follows the arrest Monday afternoon of a 15-year-old boy in County Antrim, Northern Ireland.
Both boys were arrested on suspicion of offenses under the Computer Misuse Act, and have been released on bail. Thursday’s arrest followed a search of homes in Feltham and Liverpool, police said. No arrest was made at the address in Liverpool.
Officers from the Metropolitan Police Cyber Crime Unit, who made Thursday’s arrest, are now conducting a joint investigation with Police Service Northern Ireland’s Cyber Crime Centre and the National Crime Agency, they said Friday.
TalkTalk’s website was attacked on Oct. 21.
The information that may have been accessed is not enough on its own to take money from customers’ bank accounts, the company said Wednesday.
Sensitive financial information such as credit and debit card numbers was “protected,” the company said.
It also said the number of customers potentially affected was smaller than it originally thought, without saying how many it now thought had been affected. Initially it was feared that the data of around 4 million customers was at risk.
TalkTalk has been criticized for its handling of the incident.
For customers who have money stolen from their bank accounts as a direct result of the attack, rather than as result of them giving out additional information, TalkTalk said it might waive its usual contract termination fee — but other customers who have lost confidence in the company and want to leave must pay the fee. It has offered customers a year’s subscription to a credit monitoring service.
The data that may have been accessed includes names, addresses, dates of birth, email addresses, telephone numbers, TalkTalk account information and details of credit and debit cards or bank accounts.
Encryption was not used to protect the data, but credit and debit card numbers were not stored in their entirety on the site: Only incomplete numbers such as 0123 45xx xxxx 6789 were held, TalkTalk said. The company did not say whether bank account details were similarly protected.