The company admitted the data breach late Thursday, saying that computer hackers gained access to a Three Mobile customer phone upgrade database containing the account details of nearly 6 Million customers.
According to multiple British media reports citing both Three and the National Crime Agency (NCA), the computer hackers used an employee login to gain entry into its database.
The stolen data includes customer names, addresses, phone numbers and dates of birth, which is then used to carry out mobile phone fraud.
The company has not yet confirmed the total number of users' affected by the breach, though it assured its customers that no payment data, including bank account numbers and card numbers, has been accessed.
According to Three, the hackers had stolen the database to use the stolen personal details to find customers eligible for handset upgrade, placing orders for the new phones, intercepting the parcels as they arrived, and then reselling them for a profit.
"Over the last four weeks Three has seen an increasing level of attempted handset fraud," said a spokesman for Three. "This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices."To date, Three has confirmed around 400 cases in which fraudsters had stolen high-value handsets through burglaries and 8 devices have already been illegally obtained through the upgrade activity.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
Three British Men Arrested over Three Data Breach
The investigation is ongoing, and three people have already with in connection to the fraud.
On Wednesday, the NCA arrested two men on suspicion of computer misuse allegations:
- A 48-year-old man from Orpington, Kent
- A 39-year old man from Ashton-under-Lyne, Manchester
This sort of cyber theft is not new. Earlier this year, fellow British carrier TalkTalk estimated that the company had lost more than £60 Million in a 2015 massive data breach that exposed the account details of 156,000 of its customers.