Three mobile has confirmed that information about almost 134,000 customers was accessed following a data breach, although the company, one of the largest mobile network providers in the UK, has said no banking information has been obtained by outsiders.
The company says information from 133, 827 of its nine million customer accounts was accessed in total.
For 107,102 customers, the information which could have been obtained included whether they are a handset or SIM-only customer, contract start and end date, handset type, Three account number, how long they've been with Three, whether the bill is paid by cash or card, billing date, and name.
For a further 26,725 customers the information which could have been obtained included name, address, date of birth, gender, handset type, contract start and end date, whether they are a handset or SIM only customer, telephone number, email address, previous address, marital status, employment status, Three account number and phone number, and how long they've been with Three.
Three men arrested in connection with the breach have been released on bail while the National Crime Agency investigates the case.
In a message to customers, Three CEO Dave Dyson has apologised for the inconvenience caused by the breach and assured customers no bank information was accessed.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently," he said.
"I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused," he said. "In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question."
Dyson says Three has "put in place increased security" for the affected customer accounts and that the company is "working closely with law enforcement agencies on this matter".
The company says information was obtained after being accessed using an authorised login into its database of customers eligible for a phone upgrade. Three has warned customers to be "cautious" about anyone contacting them about the incident and to not give out their banking information.