Three has confirmed hackers have infiltrated its customer upgrade database using employee logins. Police have arrested three men in connection to the breach.
The hackers used stolen information obtained from eight customers to falsely apply for upgrades from the phone network.
On Wednesday, the National Crime Agency (NCA) said it had arrested two men in connection with the security breach. A 48-year-old man from Orpington, Kent, and a 39-year-old man from Ashton-under-Lyne, Greater Manchester, were arrested on suspicion of computer misuse offences. A third man from Moston, Greater Manchester has also been arrested on suspicion of attempting to pervert the course of justice.
Nicholas Carter, a spokesperson for Three, told Reuters: “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
"The investigation is ongoing, and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.
"This upgrade system does not include any customer payment, card information or bank account information."
Carter also confirmed all eight customers who were targeted by the hackers have been contacted by Three directly.
The mobile company said it has been subjected to numerous attempts of handset fraud over the last four weeks, and these latest revelations are evident of that.
In response to this latest turn of events, Intercede CEO Richard Parris has been outspoken in his criticism towards how large companies deal with these kinds of security breaches: “Driven perhaps by a slavish devotion to short term margin and revenue growth, we now have what amounts to corporate blindness. The risks are well known, and the solutions are available, but rather than sort the issue, C-level executives and board members the world over simply hope their company isn’t next on the hit list.
“Digital trust is essential in an increasingly digital world and, if company executives and board members refuse to take action to protect their customers, it may be time for governments and regulators to get much more involved.”