UK mobile operator loses phones following data breach

In a twist, thieves in the U.K. hacked personal data to steal high-end smartphones, rather than hacking phones to steal personal data.

The thefts came to light after mobile network operator Three noticed a recent increase in levels of handset fraud, the company said Friday.

By accessing the system Three uses to manage handset upgrades, the perpetrators were able to intercept new high-end handsets on the way to the operator's customers.

Three, however, said only eight devices have been illegally obtained through the upgrade activity -- compared to 400 stolen from its retail stores over the past four weeks.

The company sought to reassure customers concerned that their personal information may have been accessed in the attempt to steal the upgrade phones.

"We've already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk," Three said on its Facebook page Friday. It promised to contact affected customers as soon as possible.

Police have clearly been investigating the case for some time: They made three arrests related to the case on Wednesday, a spokeswoman for the U.K.'s National Crime Agency said via email.

Two men, 39 and 48 years old, respectively, were arrested on suspicion of computer misuse offenses, while a third, 35-year-old man, was arrested on suspicion of attempting to pervert the course of justice. They have since been released on bail pending further inquiries, she said.

Three said the perpetrators used authorized logins to its upgrade system, but under the U.K.'s 1990 Computer Misuse Act, computer misuse offenses involve either unauthorized access to a computer system, or the making, supplying or obtaining of articles (including programs or data held in electronic form) for use in such offenses.

That suggests the data breach could have been an inside job rather than a hack, with employees of Three either using genuine login credentials to perform acts not in their job description (such as stealing customers' personal information), or supplying those credentials to a third party who then accessed the database.

The data accessed "does not include any customer payment, card information or bank account information," Three said. But mobile network operators do typically store customer names, addresses, dates of birth, phone numbers and other electronic contact information, any or all of which may have been stolen.

IDG Insider


« Massive Civilization VI update adds DirectX 12, new multiplayer mode and maps


This jaw-dropping all-AMD custom gaming PC looks like an M134 minigun »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail


Do you think your smartphone is making you a workaholic?