Three men have been arrested in connection with a data breach at UK operator Three which resulted in the illegal interception of mobile devices heading for customers.
The National Crime Agency (NCA) claimed it had caught a 48-year-old man from Orpington, Kent, and a 39-year-old man from Ashton-under-Lyne, Greater Manchester, on Computer Misuse Act offences.
A third man, a 35-year-old from Moston, Greater Manchester, was arrested on suspicion of perverting the course of justice, according to the BBC.
The men are said to have used an authorized login to access a database of customers – including names and addresses – waiting for a phone upgrade.
They are then thought to have used that information to intercept the phones.
Three has claimed the database in question did not contain any financial details, although it’s still ascertaining exactly how many customers were affected.
“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices,” a spokesman said in a statement.
"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity."
Chris Hodson, EMEA CISO at Zscaler, claimed the suspects probably had an inside contact.
“While its conceivable that user credentials were obtained through social engineering, swift arrests suggest a chain of associated events can likely be traced and compromise comes from insider intent.
“Three might say it’s okay that payment details weren’t accessed, but frankly – who cares? It doesn’t mean that other confidential data can’t be used to build a false customer profile or commit subsequent fraud at scale.”
He argued that the case should serve as a reminder that strong authentication and improved auditing is essential.
Michael Hack, senior vice-president of EMEA operations at Ipswitch added that the new EU GDPR will increase the scrutiny on firms suffering breaches of this sort.
"Organizations can’t take chances when it comes to IT security and must make sure critical information is kept safe,” he said.
“It’s no longer good enough just to have the right policies in place for secure data transfer, an organization must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training."