Arrests made for data breach at mobile network Three

Fraudsters reportedly accessed customer information in order to steal phones.

According to reports, three men have been arrested after accessing the customer data of mobile network Three in order to steal phones.

The hackers - aged 48, 39 and 35 - supposedly gained access to the personal information of Three customers through a database showing those eligible for upgrades. They then used that information to arrange for eight new handsets to be dispatched, before intercepting and stealing the phones.

It is still unclear as to how many of Three's nine million customer accounts were accessed and the company has issued assurances that no financial information 

A Three spokesman said: "Over the last four weeks Three has seen an increasing level of attempted handset fraud.This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices. We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.This upgrade system does not include any customer payment, card information or bank account information."

According to Sky News, two of the suspected culprits were arrested over computer misuse offences, with the third arrested for attempting to pervert the course of justice. All three have since been released on bail.

Michael Hack, Senior Vice President of EMEA Operations at Ipswitch, commented: "The Three data breach demonstrates that perimeter defences are not enough. Any organisation that handles customer data is at risk from insider threats. The way that files are managed, monitored and shared is key. An authorised login will enable someone with malicious intent to download data to a disc or USB key, unless there are safeguards built in to the infrastructure that flag this movement of data.

"Organisations can’t take chances when it comes to IT security and must make sure critical information is kept safe. By automating, managing and controlling all file transfers from a central point of control, employees can easily send and share files using IT approved methods. The IT department also gains complete control over activity. It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training." 

The news comes just days after a 17-year old boy pleaded guilty for hacking mobile operator TalkTalk, for which the company was fined £400,000 by the Information Commissioner's Office.

Image source: Three.co.uk