Three hacked: 'Inside job' puts six million customers' private data in jeopardy

Three men arrested in connection with breach

UK telco Three has been hacked, with up to six million customers' data sets now understood to be under threat.

Three confirmed the breach on Thursday, revealing that hackers used an employee log-in to gain entry into its database of customers eligible for a phone upgrade.

Data accessed includes customers' names, phone numbers, addresses and dates of birth, but Three claimed that no financial information could have been accessed.

Those affected, which could be up to two-thirds of Three's nine million customers, have not yet been informed.

The hackers allegedly took the information from Three's upgrade database and used it to issue eight new phones. It is alleged that these phones were then intercepted on their way to a Three customer whose account was used to generate the request, and probably sold on for profit.

A spokesman for Three said in a statement given to The Telegraph: "Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.

"The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised log-ins to Three's upgrade system.

"This upgrade system does not include any customer payment, card information or bank account information."

The National Crime Agency (NCA) is investigating the breach and said that three people have been arrested.

A spokesman for the NCA said: "On Wednesday 16 November 2016, officers from the NCA arrested a 48-year-old man from Orpington, Kent and a 39-year-old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year-old man from Moston, Manchester on suspicion of attempting to pervert the course of justice.

"All three have since been released on bail pending further enquiries. As investigations are ongoing, no further information will be provided at this time."

The hack follows a breach at TalkTalk in October 2015, when hackers stole the details of more than 150,000 customers, including those for the bank accounts of around 15,000 people.

The firm was fined £400,000 last month by Britain's data protection regulator for security failings it said had allowed customers' data to be accessed "with ease". µ