TalkTalk latest: a third arrest and the company claims not as much data stolen as feared
Fewer than 21,000 bank account numbers exposed - but 1.2 million customer contact details, admits TalkTalk
A third person was arrested over the weekend in connection with the hack of internet service provider TalkTalk.
According to the Metropolitan Police, which is leading the investigation, a 20-year-old man was arrested on suspicion of offences under the Computer Misuse Act, following the search of an address in south Staffordshire. It follows the arrest of a 15-year-old boy in Northern Ireland and a 16-year-old boy in West London last week.
Furthermore, the company now claims that not all customer details were exposed in the attack - "only" about 1.2 million customer contact details and the bank details - names, account numbers and sort codes - of fewer than 21,000 customers.
In a video posted on Youtube, TalkTalk CEO Dido Harding claimed that "the extent of the data accessed is significantly less than originally suspected". On its incident website, it continued:
"We now know the extent of the data accessed is significantly less than originally suspected and can confirm that the following personal data was accessed:
- Less than 21,000 unique bank account numbers and sort codes
- Less than 28,000 obscured credit and debit card details (the middle six digits had been removed)
- Less than 15,000 customer dates of birth
- Less than 1.2 million customer email addresses, names and phone numbers."
The statement added: "The credit and debit card details cannot be used for financial transactions. The bank account details that were accessed are, on their own, not enough to take money from your account and are the same as would be found on a cheque. We have also contacted major banks to inform them of the affected bank accounts."
It follows an attack on the company's website on the afternoon of Wednesday 21 October 2015, which the company only publicly admitted on the evening of the next day, leading to claims that it sought to "news manage" the incident.
It would appear to have been a SQL injection attack, perpetrated under the cover of a distributed denial of service attack.