Attackers stole the information from than 130,000 customers in a data breach that affected Three UK, a telecommunications and Internet service provider.
On 17 November, the media company confirmed the data breach after its security teams detected suspicious activity in a system responsible for managing customers' mobile device upgrades.
Three hackers reportedly compromised a Three employee's login credentials and abused them to gain access to the customer upgrade database. They then looked through those records for customers whom the company had approved for an upgrade.
In total, the hackers submitted an upgrade request for eight customers with the intention of intercepting the new devices before they reached their rightful owners.
David Dyson, CEO at Three, says the attackers made off with some people's personal information in the process:
"I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently."
At this time, Three is working with law enforcement to better understand what happened in the incident.
The National Crime Agency confirmed that it arrested three men on 16 November who are believed to have perpetrated the attack.
The company has not yet specified how those hackers compromised the employee's login credentials, though a phishing attack is the most likely culprit.
Given the ongoing rise of data breaches, it's important that companies train their employees to be on the lookout for phishes and other common digital threats. They can do so with the help of a third-party security awareness training software.
Does this sound of interest to your organization?
If so, contact Metacompliance and learn how its anti-phishing simulated exercises can help your workforce defend your company against a phishing campaign.