A 16-year-old boy from, Norwich has become the fourth person arrested over the data hack from telecoms giant TalkTalk. The teenager is being held on suspicion of committing offences under the Computer Misuse Act, according to London's Metropolitan Police.

The boy was detained after officers from the Metropolitan Police Cyber Crime Unit and the National Crime Agency executed a search warrant at an address in Norwich. He remains in custody at a local police station.

He joins two other teenagers and a 20-year-old man who are under police investigation for the alleged data theft. A 15-year-old boy from County Antrim in Northern Ireland was arrested on 26 October and released on police bail until a date in November.

Another 16-year-old boy from Feltham in West London was taken into custody following a search of his home on Thursday, He was later bailed. All were arrested under alleged offences under the Computer Misuse Act. Police have also arrested and bailed a man from Staffordshire.

On Friday, the phone and broadband provider confirmed that at most 1.2 million email addresses, names and phone numbers and 21,000 unique bank account numbers and sort codes were accessed in the attack.

The company however has assured its customers that any stolen credit or debit card details were incomplete and therefore they cannot be used for financial transactions, although it did advise customers to remain vigilant against fraud. It has said that it would be writing to all affected customers to let them know what information had been accessed.

Graham Cluley, an independent security analyst claims that the TalkTalk attack seems to have been done through "an elementary SQL injection attack. "SQL injection attacks, of course are one of the most common methods through whcih hackers can steal data from organisations, but fortunately they're also well understood and relatively easy to prevent if you leave the job i the hands of a competent web development team."

He said that that i was hard to defend the company as it was the third time there has been a data breach in the company. Another security expert Jim Gumbley from ThoughtWorks said: "Companies have a responsibility to ensure data is protected appropriately from theft. When I speak to clients I always recommend that they build up a threat model to help them invest appropriately in protections before data theft can occur, and to minimise the impact if it does."