Major UK telecommunications firm Three Mobile has admitted that a November 2016 breach of its computer systems was broader in scope than previously believed, with the company now having to inform 76,373 additional customers their data was exposed.
Last year, Three Mobile found criminal activity on a system – used to upgrade customers to new devices – which was part of a scheme to order and then sell on new handsets fraudulently.
Criminals obtained specific billing data on 107,102 customers, while a further 26,725 individuals were impacted with personal information theft containing the likes of names, addresses, dates of birth, email contact address, marital status and employment status.
The company continues to stress no financial information, including credit card and Pin numbers, was put at risk in the breach. Despite the total amount of people impacted now sitting at 210,200, Three re-affirmed that "no fraudulent activity has been identified against the customers".
A statement posted to its website read: "We have continued to work closely with law enforcement to support the ongoing investigation. During the course of the investigation, additional files were recovered as part of the same activity which we have analysed."
"We have contacted affected customers to support them.
"We ask customers to be cautious about anyone contacting them. If it is a call from Three and you are in any doubt that it is genuine, end the call and call us back on 333 from your Three mobile. We advise caution when dealing with other service providers you may use."
Sources close to the incident initially told media outlets that private data of "two thirds of the company's nine million customers" may have been vulnerable.
Both the UK's National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are still probing the breach. To date, three arrests have been made.
An NCA spokesperson said last year: "Officers [...] arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.
"All three have since been released on bail pending further enquiries."