The CEO of UK carrier Three Mobile has confirmed that a customer database was compromised by hackers and more than 130,000 customers have had their account data exposed.
David Dyson says that the hackers, believed to be two men from Kent and Manchester, had indeed accessed the customer directory and used the information – including names, addresses, and dates of birth – to order new phones for accounts that were eligible for hardware upgrade. They then intercepted the packages.
Three says that the hackers managed to order and steal eight phones using the lifted customer account details.
The admission comes after days of media reports and speculation that Three had become the latest UK carrier to fall victim to hackers looking to lift customer details. Multiple reports have noted police activity related to the breach and talk of an increase in phone thefts.
In total, Dyson says that 133,827 people had their account information exposed to the hackers. Not exposed in the breach was any sort of payment information or password data. Dyson says that all of the exposed customers will be individually notified of the breach.
This after the UK's National Crime Agency made the arrests of both of the alleged hackers, as well as a third man who was arrested and charged with perverting the course of justice.
Thus far, it is believed that the information was only used for the phone upgrade schemes and there have been no reports of other attempts to use or sell the lifted customer information for TalkTalk-style follow-up scams.
Dyson's statement, in full as provided to The Register, is below:
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices, and I wanted to update all our customers on what happened and what we have done. I understand that our customers will be concerned about this issue and I would like to apologize for this and any inconvenience this has caused.
Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue. On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained, but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution, we have put in place increased security for all these customer accounts. We have been working closely with law enforcement agencies on this matter and three arrests have been made.
I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologize.