The personal data of more than 133,000 customers have been at risk following the data breach
More than 133,000 Three customers have been at risk of having their personal information stolen following the arrest of three men over data breach charges.
The operator confirmed the names and addresses of its subscribers had been accessed following unauthorised access to a database listing customers eligible for upgrades. but no payment, bank or card details were accessed.
Attackers had used the database to order upgraded phones, which affected eight customers. The network had become aware of the suspicious activity on November 14 and worked with the relevant authorities to intercept the attack.
The National Crime Agency confirmed it had arrested a 48-year-old man from Orpington, Kent, and a 39-year-old male from Ashton-Under-Lyne, Manchester on suspicion of computer misuse offences. A third man from Moston, Manchester has been arrested on suspicion of attempting to pervert the course of justice.
Three is currently investigating how the database was accessed and has since increased its security. The eight customers affected have been contacted by the operator.
Three CEO Dave Dyson said: “As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
“I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused. Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
“On 17th November we were able to confirm that eight customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
“I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.”
The latest attack follows another where 157,000 TalkTalk customers had their personal data stolen in October last year. It had been fined £400,000 by Ofcom for the breach last month.