A fifth person has been arrested in connection with the data breach at TalkTalk, the Metropolitan Police has confirmed.
Detectives from the Met's Cyber Crime Unit (MPCCU), in collaboration with the Southern Wales Regional Organised Crime Unit, arrested an 18-year-old male at an address in Llanelli, Wales.
The suspect was taken into custody at a Dyfed Powys police station and has since been bailed until a date in March.
The latest suspect was arrested on suspicion of blackmail, unlike the four previous arrests which came under the Computer Misuse Act.
A fifth person has been arrested in connection with the TalkTalk investigation https://t.co/xh5E7wYYPl— Metropolitan Police (@metpoliceuk) November 24, 2015
A joint operation between the MPCCU and TalkTalk has resulted in five arrests since the cyber attack on 21 October.
A 16-year-old boy from London was arrested and held under Computer Misuse Act offences and has since been released on bail.
Three others have been implicated in the cyber attack: a 20-year-old man from south Staffordshire, a 16-year-old boy from Feltham and a 15-year-old boy from Northern Ireland.
The investigation is being spearheaded by the MPCCU and the National Crime Agency.
TalkTalk said in a statement following the initial arrests: "We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation."
TalkTalk announced recently that customers will be able to claim a free upgrade during December that provides stronger security measures, according to the firm.
The "significant and sustained" cyber attack against TalkTalk resulted in the loss of roughly 1.2 million customer email addresses, names and phone numbers and up to 21,000 unique bank account numbers and sort codes.
"We would like to apologise for the unavoidable uncertainty over the last few weeks while we have been working hard to understand the extent of the data accessed during our recent cyber attack," TalkTalk said on its website.
The upgrade comes "with no additional commitments" and offers additional TV packages, unlimited UK mobile and landline calls and broadband health checks.
It also offers security features such as a web filter, call blocking and anonymous caller rejecting.
Interestingly, the firm indicated that terms will apply to the deal, which is "subject to availability and ongoing relationship with TalkTalk".
The price to pay
TalkTalk revealed last month that the cyber attack on its systems will cost £30m to £35m.
The company made the admission during an earnings report for the first half of its financial year. CEO Dido Harding said that it is hard to know the full extent of the attack on the company's financial future.
"We expect that the one-off impact of this criminal attack will be £30m-£35m. It's far too early to tell the impact on the business in the long run," she explained.
Part of this cost is likely to come from TalkTalk's announcement that it will offer all customers the chance to upgrade their services free of charge.
A total of 156,959 personal account details were accessed by hackers, and the firm admitted that this included 15,656 bank account numbers and sort codes.
TalkTalk claimed that four percent of its customers have data at risk. "We continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails," the firm said in a statement.
TalkTalk indicated in one news update to customers last month that the fallout from the breach was smaller than first reported.
"Investigations so far show that the information that may have been accessed is not enough on its own to take money from your bank account," the firm said.
"Sensitive financial information, such as credit and debit card numbers, was protected. The number of customers who may have been affected and the amount of data potentially accessed is also smaller than we originally thought."
TalkTalk indicated the breach compromised:
- Fewer than 21,000 unique bank account numbers and sort codes
- Fewer than 28,000 obscured credit and debit card details
- Fewer than 15,000 customer dates of birth
- Fewer than 1.2 million customer email addresses, names and phone numbers
Security expert Brian Krebs reported that the hackers targeted a database of roughly 400,000 customers which held credit check details, but a TalkTalk spokesperson told V3 that the firm could not substantiate these claims.
Following the breach Harding admitted that not all customer data was encrypted and said in an interview with The Sunday Times that the firm was not legally obliged to do so.
"[Our data] wasn't encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information," she said.
The ransom note
Harding confirmed that she received a ransom note from the hackers responsible for the cyber attack.
"It is hard for me to give you very much detail but, yes, we have been contacted by, I don't know whether it is an individual or a group, purporting to be the hacker," Harding told the BBC.
"All I can say is that I had personally received a contact from someone purporting - as I say I don't know whether they are or are not - to be the hacker looking for money."
The full amount sensitive data stolen from TalkTalk included names, addresses, dates of birth, email addresses and partial credit card details. TalkTalk confirmed that the details of former customers were also likely to have been compromised.
Tristia Harrison, managing director of the consumer division at TalkTalk, said: "We are taking all the necessary steps to understand this incident and to protect [customers] as best we can against similar attacks in future."
The Information Commissioner's Office told V3: "The ICO is aware of this incident, which was reported to us on Thursday afternoon. We will be making enquiries and liaising with the police."
David Emm, principal security researcher at Kaspersky Lab, highlighted the lack of encryption as a sign of lax security practices.
"It is alarming if any data is not encrypted as it effectively hands over personal information to the attackers. Although Dido Harding is right that the organisation is not alone, this is not the first time such an attack has affected its customers," he said.
"TalkTalk hasn't yet been able to quantify the scale of the breach, but any loss of data is a matter for serious concern for customers and I believe that such repeated leaks of data represent a breach of trust.
"I would recommend that all TalkTalk customers take the opportunity to change their passwords."
Luke Brown, vice president and general manager at Digital Guardian, suggested that this latest breach could be the last straw for TalkTalk customers.
"They say bad news comes in threes and that certainly seems to be the case for TalkTalk over the past nine months. In the wake of two prior breaches, it's hard to see TalkTalk's customers giving it any more chances," he said.
"With over 90 percent of the population owning a mobile phone, it's easy to see why they are becoming an increasingly attractive target for hackers. The big question is, what are [the operators] doing about it? In TalkTalk's case, it appears the answer is far too little."
TalkTalk is advising customers to check their credit reports with three monitoring agencies - Call Credit, Experian and Equifax - despite the fact that Experian suffered a major data breach earlier this year that resulted in the exposure of up to 15 million T-Mobile customer records.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment