British telecoms company Three has suffered a security breach affecting a database containing information on 6 million customers.
The incident, first reported by The Telegraph, involved people logging into a customer database, upgrading customers’ phones, then stealing the new handsets and reselling them.
At least eight handsets were stolen that way, though the exact number of customers affected is unclear.
While the number of customers affected appears to be low (judging by the number of handsets stolen), the suspects had access to a vast database of up to 6 million customers — two-thirds of Three’s 9 million customer base. The Telegraph had reported that the breach “could put the personal data of millions of customers at risk,” but a source with knowledge of the hack told Business Insider there was no evidence that customer data was stolen. (Hackers will sometimes sell stolen databases of user logins online.)
A Business Insider employee with a Three account called up the company for more information, and a customer service representative could not confirm whether or not other users’ data was affected beyond those targeted in the upgrade scam. They also could not put a figure on the number of customers affected: “There are no estimated numbers confirmed,” the customer service representative said.
Customer data that could be affected includes names, addresses, phone numbers, and dates of birth. But it does not include “any customer payment, card information or bank account information,” Three said in a statement.
Customers who have been directly affected by the upgrade scam have reportedly been contacted by Three — but other customers, who may be wondering if their data is still secure, have not.
The UK telecoms company provided Business Insider with the following statement (emphasis ours):
“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.
“This upgrade system does not include any customer payment, card information or bank account information.”
(Note: The 400 burglaries referred to are apparently not directly linked to the hacking incident.)
Three people have been arrested in relation to the incident, The National Crime Agency confirmed.
In a statement, the National Crime Agency told Business Insider: “On Wednesday 16 November 2016, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.
“All three have since been released on bail pending further enquiries. As investigations are on-going no further information will be provided at this time.”
The source with knowledge of the hack said that the attacker is not believed to be “an external party to the business” — suggesting a Three employee could be behind the incident.