Criminals have stolen or illegally obtained over 400 smartphones from Three UK over the past month as handset fraud has soared at the mobile operator.
The situation escalated this week, with data belonging to an unknown number of the company’s subscribers compromised as part of a database breach.
Three confirmed that data such as customer names and addresses has been accessed, but that financial details were not at risk.
It was unable to confirm on Friday morning how many of its nine million subscribers were affected, but a spokesman told European Communications that the number was “significantly lower” than the six million figure quoted by The Daily Telegraph.
Three said data had not been physically taken from the system, but that it had been accessed via an employee’s login.
The operator first became aware of “suspicious activity” related to this on Monday. Three men were arrested by the UK’s National Crime Agency (NCA) on Wednesday.
Two were arrested on suspicion of computer misuse offences and one on suspicion of attempting to pervert the course of justice.
All three have since been released on bail pending further enquiries.
Three wouldn't comment on whether the three men were employees.
“As investigations are on-going, no further information will be provided at this time,” the NCA said.
Three said 400 handsets had been stolen through burglaries and eight devices had been illegally obtained through upgrade activity over the past four weeks.
Upgrade fraud involves criminals attempting to order smartphones on behalf of subscribers but intercepting the devices before they are delivered.
Three UK said in a statement: “We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter.
“The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity.
“We’d like to reassure customers that their financial details are not at risk.
“We are investigating how many customers are affected and will be contacting them as soon as possible.
“We’ll update with further information once we have this.”
Last month, TalkTalk received a record £400,000 fine by the UK’s Information Commissioner’s Office for security failings related to last year’s cyber attack that affected 157,000 customers.