Three has been the victim of a major cyber hack after fraudsters were able to gain access to the company’s phone upgrade system and in turn see millions of customers’ private information.
The company has confirmed that the fraudsters had accessed this data, including names and addressed by using normally secure logins that were restricted to staff. The database in question contains every customer on Three’s network who is currently eligible for an upgrade.
On Wednesday, the National Crime Agency arrested a 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences as well as a 35-year old man from Moston, Manchester, on suspicion of attempting to pervert the course of justice
What did they steal?
The fraudsters are then understood to have used the information to arrange for upgraded phones, believed to include iPhone and Samsung handsets, to be sent to eight customers before intercepting them.
“To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.” confirmed a spokesperson for Three.
What private information did they see?
Three, which has nine million customers, said customers’ financial information was not stored on the system while an investigation into the total number affected was ongoing.
A spokesperson clarified further saying: “This upgrade system does not include any customer payment, card information or bank account information.”
The Telegraph has received reports that the database could have contained the information for around six million of Three’s nine million customers.
How did Three discover they had been hacked?
A spokesman for the firm said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud.
“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the police and relevant authorities.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.
The eight handset fraud victims had been contacted, the spokesman added.
The NCA said all three men had been bailed pending further enquiries.
A spokeswoman said: “As investigations are on-going no further information will be provided at this time.”
What happens next?
Three says it hasn’t contacted the customers whose data was involved but will do when it has a better understanding of the situation.
It comes after telecoms giant TalkTalk fell victim to an attack on its website on October 21 last year which resulted in the personal data of nearly 160,000 people being accessed.
The Information Commissioner’s Office fined the firm a record £400,000 last month for security failings that it said had allowed customers’ data to be accessed “with ease”.
The ICO said that in 15,656 cases, bank account details and sort codes had been accessed.