Three mobile network have revealed that details, including names and addresses have been accessed using a login to its database of customers eligible for a phone upgrade.
This breach in security then allowed the upgraded devices to be “unlawfully intercepted”.
Three has nine million customers and is investigating exactly how these accounts were accessed.
The database, it has said, does not contain payment, card or bank details.
A spokesman for the company said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud.”
“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.”
“We’ve been working closely with the police and relevant authorities.”
>See also: 7 key lessons from TalkTalk’s data breach
“To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.”
He added: “In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.”
“This upgrade system does not include any customer payment, card information or bank account information.
Was an insider to blame? These details are currently unknown.
3 blind mice
The National Crime Agency (NCA), on Wednesday, said it had arrested two men from Manchester and one man from Kent who are linked to the data breach.
All three have been released on bail pending further enquiries, an NCA spokeswoman said.
Three, which has nine million customers, is investigating how many accounts were accessed, but said the database did not contain payment, card or bank details.
This hack is the latest example of how simple it is to access and infiltrate data without the alarms being raised.
Matt Middleton-Leal, regional director, UK, Ireland and Northern Europe at CyberArk elaborates and suggests that “the story is not so much about hackers getting into a company, more how simple it seems to be to access and exfiltrate data without alarms being raised. Containing hackers’ access and identifying suspicious behaviour once they are inside is key.”
“Ultimately, this should serve as a reminder that strong authentication mechanisms and detection controls are essential. Of course prevention is ideal, but it’s not always possible. We must find ways to reduce the time from initial breach through to identification,” agreed Chris Hodson, EMEA CISO at Zscaler.
“Three says it’s improved its controls in the light of this breach. The question is, does that extend to strong authentication and improved audit and logging controls?”