Three men have been arrested after a data breach at the Three mobile network allowed fraudsters to access personal data and steal phones.
The company, said names and addresses were stolen and it does not know how many of its 9 million customers are at risk.
Fraudsters are understood to have used authorised login information to order upgraded phones, including iPhone and Samsung handsets, to be sent to customers before intercepting them. Three said it believed around 400 phones had been stolen
On Wednesday, the National Crime Agency arrested a 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences as well as a 35-year old man from Moston, Manchester, on suspicion of attempting to pervert the course of justice.
A spokesman for the firm said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud.
“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
"We’ve been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”
Experts raised the alarm at the ease with which confidential data was stolen. Matt Middleton-Leal, UK director at secirty firm CyberArk said: "Once again, the story is not so much about hackers getting into a company, more how simple it seems to be to access and exfiltrate data without alarms being raised. Containing hackers’ access and identifying suspicious behaviour once they are inside is key.“
The news comes after hackers accessed personal data of 160,000 TalkTalk customers following an attack on its website on October 21 last year.
The Information Commissioner's Office fined the firm a record £400,000 for security failings that it said had allowed customers' data to be accessed “with ease”. In 15,656 cases, bank account numbers and sort codes were accessed.
