Three men suspected of breaching customer data to steal phones have been arrested. The breach at mobile network Three is understood to have involved fraudsters accessing personal data, including names and addresses, by using authorised logins to its database of customers eligible for an upgrade. The men are thought to have used the information to arrange for upgraded handsets, believed to include iPhone and Samsung models, to be sent to eight customers before intercepting them. A 48-year-old man from Orpington, Kent and a 39-year-old man from Ashton-under-Lyne, Manchester, were arrested on Wednesday by the National Crime Agency on suspicion of computer misuse offences in connection with the fraud.
A 35-year-old man from Moston, Manchester, was also arrested on suspicion of attempting to pervert the course of justice. All have been bailed pending further inquiries. Three, which has nine million customers, said customers’ financial information was not stored on the system while an investigation into the total number affected was ongoing. A spokesman for Three said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud. “This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.” The spokesman said approximately 400 high-value handsets have been stolen in burglaries and eight devices have been illegally obtained through the upgrade activity.
The spokesman added: “The investigation is ongoing and we have taken a number of steps to further strengthen our controls. “In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. “This upgrade system does not include any customer payment, card information or bank account information.” The eight handset fraud victims have been informed, the spokesman said. The fraud comes after telecoms giant TalkTalk fell victim to an attack on its website in October last year which resulted in the personal data of nearly 160,000 people being accessed. The Information Commissioner’s Office fined the firm a record £400,000 last month for security failings that it said had allowed customers’ data to be accessed “with ease”. The ICO said that in 15,656 cases, bank account details and sort codes had been accessed.