Private data of Three Mobile customers has been put at risk by a data breach that has led to three men being arrested by the UK's National Crime Agency.
The men used official logins to access the mobile network's database of customers who were eligible for handset upgrades and accessed the people's names and addresses. It's believed the men then used the database to have phones sent to eight customers, which they then intercepted.
A statement issued by Three Mobile on November 18 stated that more than 100,000 of its customers had been affected by the data breach. "In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question," Dave Dyson, Three's CEO said.
Three has said it will be contacting all the customers who had details accessed to explain what had happened. It is also continuing to work with law enforcement agencies.
Officers at the NCA arrested a 39-year old man from Ashton-under-Lyne, Manchester, and a 48-year-old man from Orpington, Kent, on suspicion of computer misuse offences and a 35-year-old man from Moston, Manchester who is accused of attempting to pervert the court of justice.
The men have all been bailed while investigations continue and, as such, the NCA is not releasing any further information.
Three said it had noticed an "increasing level of attempted handset fraud" in the past four weeks. The growth in fraud has been put down to more burglaries of retail stores and attempts to intercept devices that had been sent for upgrades.
It also said the database accessed did not include customer payment information. "We’ve been working closely with the police and relevant authorities," the company said in a statement.
"To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls."
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.”
A spokesperson for the Information Commissioner's Office (ICO) confirmed it was aware of the incident and was "making enquiries".
At the start of October TalkTalk, which was hacked in 2015, was fined £400,000 by the ICO after it said the company was in breach of data protection rules. The ICO said it was easy for hackers to take advantage of "technical weaknesses" in TalkTalk's IT systems and access customer details.
In total, 156,959 TalkTalk customers had their personal details stolen by hackers who accessed names, addresses, dates of birth, phone numbers and email addresses. There were also 15,656 incidents where the hacker had access to the bank account details and sort codes of customers.
This article was originally published by WIRED UK
