Customer information from more than 130,000 users of the Three mobile network has been compromised in a cyber security breach, the mobile operator has said.
Three boss, Dave Dyson, said in a statement that all affected customers were being contacted individually and that while personal information had been accessed, no financial information had been compromised.
Three men were arrested after the data breach was revealed, over the alleged fraudulent use of the company’s phone upgrade system in an attempt to steal handsets.
Dyson said: “As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
“On 17 November we were able to confirm that eight customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices. I can now confirm that the people carrying out this activity were also able to obtain some customer information.
“In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.”
Three said it was continuing to work with law enforcement agencies, and as a precaution additional security measures had been placed on customer accounts.
The company had been criticised by some customers on social media for what was seen as a muted response to the breach. However, Dyson said Three would address all consumer concerns.
“I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused,” he said. “We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have.”
Security experts have again called for major companies with large amounts of customer data to do more to protect consumers. The breach is the latest in a string of cyber attacks and data breaches, including those on TalkTalk and Yahoo.
Having looked at intelligence sources, there are hints to people having insider access to Three network with the ability to do fraudulent sim-swapping.
It is understood that an employees login was used to get access to the system, this could have been phished or stolen and used by a malicious threat actor.