Three Mobile, one of the UK's biggest phone companies, has reportedly suffered a hack on its computer systems that put the personal data of roughly six million of its customers at risk.
The information reportedly accessed by hackers included names, phone numbers, addresses and dates of birth, however officials from the popular telecommunications firm stressed it is not believed financial details such as banking or credit card numbers were stolen.
Sources close to the incident told The Telegraph that private data of "two thirds of the company's nine million customers" could now be vulnerable.
Three Mobile confirmed hackers were able to access its customer upgrade database using employee login credentials but declined to comment on the scale of the breach or if customer data was successfully stolen.
While the exact details of the hack are still coming to light, Three Mobile said it believes the hackers accessed customer accounts, requested upgrades then intercepting the new phones while they were being delivered – possibly with the intention to sell them on.
In a statement, a spokesperson for Three Mobile said: "Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system. This upgrade system does not include any customer payment, card information or bank account information. The investigation is ongoing and we have taken a number of steps to further strengthen our controls."
The National Crime Agency (NCA), which is now probing what could be one of the most widespread hacking cases to hit the UK said three people have been arrested – two on computer misuse charges and one for perverting the course of justice.
An NCA spokesperson said: "On Wednesday 16 November 2016, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.
"All three have since been released on bail pending further enquiries. As investigations are on-going no further information will be provided at this time".
News of the breach comes after recent cybersecurity incidents at Tesco Bank and TalkTalk – both of which significantly impacted UK consumers. On 1 November, UK chancellor Phillip Hammond MP issued a warning about the rising threat of cybercrime.
Three has advised concerned customers to call 333 on a Three mobile phone or 0333 338 1001 from another phone to get more information about the breach.