Three men have been arrested following a data breach at Three mobile, one of the largest mobile network providers in the UK.
The company said details, including names and addresses, had been accessed by using a login to its database of customers eligible for a phone upgrade. It said the breach then allowed upgrade devices to be "unlawfully intercepted", according to the BBC.
Three has nine million UK customers, although at this the company has only been in contact with the eight customers who have directly been affected.
"We're aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we've already put measures in place to stop the fraudulent activity. We'd like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We'll update with further information once we have this," the company said.
"This is a live investigation and as soon as we have established the facts with the police we will contact all impacted customers. We have put in place enhanced controls to protect your mobile account and would assure you that Three takes the security of your data very seriously," a Three spokesperson said on Twitter.
Despite confirming that a breach has occurred, Three isn't being drawn on how the breach occurred or how many customers have potentially been affected, but the company says the breached upgrade database doesn't including any customer payment information or bank account data.
A spokesperson for Three told The Telegraph "Over the last four weeks Three has seen an increasing level of attempted handset fraud", and added "The investigation is ongoing and we have taken a number of steps to further strengthen our controls."
The National Crime Agency has confirmed to ZDNet that three arrests have been made in connection to the incident.
They are a 48 year old man from Orphington, Kent and a 39 year old man from Ashton-under-Lyne, Greater Manchester, both of whom have been arrested on suspicion of computer misuse offences. A third man, a 35 year old from Moston, Greater Manchester has also been arrested, but on a separate charge of suspicion of perverting the course of justice.
"All three have since been released on bail pending further enquiries. As investigations are on-going no further information will be provided at this time," said an NCA spokesperson.
A spokesman for the Information Commissioners Office said: "We're aware of this incident and are making enquiries. The law requires that organisations take appropriate measures to keep people's personal data secure. As the regulator, it's our job to act on behalf of consumers to see whether that's happened."
Read more on cybersecurity
- In TalkTalk aftermath, it's time for companies to pay higher price for breaches
- 66% of organizations won't recover after cyberattack, study says [TechRepublic]
- Hack reportedly exposes 412M FriendFinder Networks accounts [CNET]
- These were the biggest hacks, leaks and data breaches of 2016
- Tesco Bank says £2.5m was stolen from 9,000 customers in cyberattack