The teenage prime suspect arrested by police investigating a cyber attack at TalkTalk has been released on bail.
Police arrested the 15-year-old at his family's home in Ballymena, Northern Ireland, on Monday. He was released on bail on Tuesday morning after being questioned by detectives overnight and will be required to report back to police next month.
The teenager, from Ballymena, County Antrim, was questioned overnight by officers from the Metropolitan police’s cybercrime unit on suspicion of Computer Misuse Act offences. Anyone found guilty under the legislation facesup to 10 years in jail and an unlimited fine.
Neighbours at the family's Unionist estate said that the police were still there at 11pm on Monday night. Kathy Haveron, 39, told the Telegraph: "I got home from my mum's at 11pm last night and there were still police around. They were around most of the night."
His age came as a shock to security experts who believed that Russia or Isis was behind the attacks.
In an internet post last year the teenager said he is a keen video game player. “I’m a 14 year old gamer who one day wants to be a professional call of duty player," he wrote.
TalkTalk said it is working with cyber crime experts, the security services and the police to complete a “thorough investigation” following last week’s data theft. The National Crime Agency is also working on the joint investigation and MPs have also launched an inquiry.
TalkTalk, which has more than four million customers in the UK, said bank details and personal information could have been accessed, but credit and debit card numbers had not been stolen. It is the third time in nine months that the company’s security systems have been breached by hackers leaving customers furious.
TalkTalk pledged to waive exit fees in some cases where people want to leave their contract - but only in the “unlikely” event money is stolen from them. Customers will need to show that money was stolen from their bank account as a direct result of the cyber attack - and not because they have handed over their personal details themselves – if they want to avoid being charged a termination fee, TalkTalk said.
Millions of people who cancelled their TalkTalk contracts years ago may also have fallen victim to the cyber attack. One former customer told the Independent he was shocked to discover the company retained his personal information despite closing his account months ago.
The man in his 60s, who did not want to be identified, only discovered his details were still being retained when he contacted the firm on behalf of his mother to set up an account for her. He gave his email address for the main contact, but it was rejected as he “already had a TalkTalk account”.
The former customer was told that the TalkTalk system remembers all email addresses to enable the company “to refuse other users from using the same email address”.
He was told: “No one can use your email address with TalkTalk again because it is considered as ‘orphaned’.”
Another customer services representative quoted the Data Protection Act and told the man: “Orphaned email addresses must never be removed from the original account and added to another account. Do not reset passwords for orphaned accounts. Never delete an orphaned email address. Orphaned email addresses should never be added to another account, even when the owner of the original e-mail address is deceased.”
The man told the Independent: “I am concerned that an organisation so clearly prone to data loss is jeopardising all its previous customers too, by issuing internal edicts that no data should be deleted, even when a customer leaves. I’d like to think that when I leave a company my data goes with me, not that it retains their property to retain and use as they see fit.”
A spokesman for TalkTalk, which has been operating since 2006, said: “There is a risk and a chance that some previous TalkTalk customers’ details were stored on the website. At the moment we can’t rule it out.
“We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation.”
There was some better news for the company today as shares rebounded nine per cent following a 12 per cent drop the previous day.
Meanwhile Financial Fraud Action UK warned consumers that fraudsters could capitalise on confusion following the hack to trick people into handing over personal details about themselves, which can then be used to empty victims’ bank accounts.
It said that people should be “extremely wary” of any call, text or email they receive out of the blue, even if it claims that there has been fraud on their account.
Dave Palmer, Director of Technology at cyber threat defence company Darktrace, said: “This is the latest example that shows cybersecurity is a real challenge for every business, and Board of Directors should waste no time in taking a good look at their organisation and addressing its vulnerabilities.”