The Telegraph reports that carrier Three Mobile’s systems in the UK have been breached and that its sources say roughly 6 million customers’ personal data could be at risk.
The company noted that the attackers used an employee login to gain entry into its database of customers eligible for a phone upgrade. It hasn’t yet confirmed how many users’ data was stolen or informed affected customers.
The data in question includes people’s names, phone numbers, addresses and dates of birth; Three says no financial information could’ve been accessed.
The National Crime Agency (NCA) said it had arrested three persons – two men from Manchester and one man from Kent – in the course of its investigation into the matter. All three have since been released on bail pending further enquiries.
Three said that the hackers had been fiddling with the database to grant customers new phones and then intercepting the devices – possibly to sell them for a profit. The company noted:
We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
This isn’t the first time a British mobile carrier has been attacked. In October 2015, TalkTalk had its systems breached by a teenager, who stole 95,000 users’ data. The attack resulted in a loss of 150,000 customers for the company, which cost it £60 million in total.
We’ve contacted Three for further comment and will update this post if there’s a response.