One of Britain’s biggest mobile phone companies has admitted to a major cyber-security breach which could put the personal data of millions of customers at risk.
Three Mobile admitted that hackers have successfully accessed its customer upgrade database after using an employee login.
Sources familiar with the incident told the Telegraph that the private information of two thirds of the company’s nine million customers could be at risk.
The company confirmed the breach on Thursday evening but declined to say whether customers’ data was stolen or how many have been affected.
Three said that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information.
It comes after Talk Talk, the phone and broadband company, admitted in October last year that the private details of 157,000 customers had been hacked.
The five worst ever cyber hacksPlay!02:05
Earlier this month Philip Hammond, the Chancellor, said that companies have a duty to protect their customers against cyber crime following a series of high-profile breaches.
He told an audience in London: ” Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust in, faith in the whole digital edifice will fall away.”
Hammond: The UK will ‘retaliate in kind’ to cyber-attacksPlay!01:49
Three said that the hackers had been accessing customer accounts and upgrading them then intercepting the new phones, possibly in order to sell them on.
Customers whose data was involved have not yet been informed.
The National Crime Agency is investigating the breach and said that three people have been arrested, two for computer misuse and one for perverting the course of justice.
A spokesman for Three said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.
“This upgrade system does not include any customer payment, card information or bank account information.”
Three has over nine million customers and it is understood that hackers, who used company access codes to get into the system, had access to large parts of the upgrade database.
The theft will prompt concerns that personal information of millions of customers could be sold online to criminals.
A spokesman for the National Crime Agency said: “On Wednesday 16 November 2016, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.
“All three have since been released on bail pending further enquiries. As investigations are on-going no further information will be provided at this time”.
Three was founded in 2003 and employs over 4,000 people in the UK. The network carries over 37 per cent of all the UK’s mobile phone data.
This latest data breach follows a similar hack at Talk Talk where the details of more than 150,000 customers were stolen including the bank account details of around 15,000.
The company lost 95,000 subscribers as a result of the attack, which cost it £60million.
A 17 year old boy pleased guilty to seven counts of breaching the Computer Misuse Act 1990 at Norwich Crown Court earlier this week.
Find out how to protect yourself and business at: http://cyber.aspida.org