clock menu more-arrow no yes

Filed under:

UK hackers use customer mobile data to steal their upgrade phones

New, 2 comments

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Hackers have accessed a database of customer information belonging to one of the UK’s biggest mobile carriers, Three. According to a report from The Telegraph, the company said the database included names, phone numbers, addresses, and dates of birth, but no financial information. Three said that their internal systems were accessed using an employee login — rather than exploiting a fault in the software.

Over the past four weeks, Three says it has experienced "an increasing level of attempted handset fraud." This has included more burglaries targeting the company’s retail stores, and criminals using customer data to request, and then intercept, new handsets issued as part of Three’s mobile subscriptions.

"Eight devices have been illegally obtained through the upgrade activity."

"To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," said a company spokesperson. "The investigation is ongoing and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorized logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information."

Police in the UK have arrested three men in connection with the breach, two from Manchester and one from Kent. According to the National Crime Agency (NCA), two were arrested on suspicion of computer misuse offenses, while the third was arrested on suspicion of attempting to pervert the course of justice. Three has yet to inform customers that their personal information may have been compromised.