The Three data breach discovered last week affected over 130,000 customers, the CEO of the UK network operator confirmed on Friday.
Dave Dyson claimed in a statement provided to Infosecurity that the firm spotted eight customers who had been “unlawfully upgraded to a new device” by criminals looking to intercept and sell those handsets for a profit.
The statement continued:
“I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts.”
Dyson confirmed three arrests had already been made but added no further details.
On Friday it emerged that the National Crime Agency had cuffed a 48-year-old man from Orpington, Kent, and a 39-year-old man from Ashton-under-Lyne, Greater Manchester, on Computer Misuse Act offences, and a 35-year-old from Moston, Greater Manchester, on suspicion of perverting the course of justice.
It’s claimed the men used an authorized login to access the database of customers waiting for a phone upgrade, and then used that information to intercept the phones.
That would seem to imply some kind of inside job, unless they spear-phished the log-ins from an unsuspecting member of staff.
The case highlights the need for organizations to enforce strong multi-factor authentication and internal auditing to spot unusual behavior and check that processes and policies are being followed at all times.