Three Mobile has confirmed that personal customer information from over 133,000 customers has been compromised in a massive data hack. The UK mobile network said that no bank details, passwords or financial information had been accessed in the cybersecurity breach.
"As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices," Three CEO Dave Dyson said in a statement. "Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
"On 17th November, we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices. I can now confirm that the people carrying out this activity were also able to obtain some information," the statement read.
Dyson said that personal information from 133,827 customer accounts were obtained in the breach. However, "no bank details, passwords, pin numbers, payment information or credit/debit card information" are stored on the upgrade system," he said.
According to the company's investigation of the upgrade system, information regarding "whether they are a handset or SIM only customer, contract start and end date, handset type, Three account number, how long they've been with Three, whether the bill is paid by cash or card, billing date and name" for more than 107,000 customers could have been obtained in the breach.
For another 26,725 customers, information including name, address, date of birth, email address, telephone number, handset type, marital and employment status, Three account number, whether they are a handset or SIM-only customer, contract start and end date and how long they have been a Three customer were possibly accessed in the cyberattack.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently," Dyson said. He added that the company is working closely with law enforcement agencies and has been contacting all affected customers individually. Additional security measures have also been placed on customer accounts, the company said.
The company has drawn sharp criticism from users on social media for failing to immediately contact and inform customers about the breach that was reported by the Telegraph.
Earlier this week, the National Crime Agency said that three people have been arrested in connection to the data breach, including two men from Manchester and one man from Kent. Two of the men were detained under the Computer Misuse Act and one on suspicion of attempting to pervert the course of justice, the NCA said. All three men have been released on bail "pending further enquiries."
The latest data breach follows a series of cyberattacks and massive data hacks including one on TalkTalk in October 2015. The company was recently fined a record £400,000 by the Information Commissioner's Office (ICO) over the 'easy' hack in which 157,000 customers had their personal details stolen. In another nearly 157,000 cases, the attacker had access to customers' bank account details and sort codes.