Three insists handset fraud incident 'not the type of issue that TalkTalk experienced'

Three has announced that "authorised logins" had been used to access its systems holding details of customers eligible for an upgrade of their mobile handsets. Fraudsters used the information to "unlawfully intercept upgrade devices", the company said.

Three has not yet confirmed the number of customers whose data was accessible, but has confirmed that eight devices have been stolen in the fraud. Three men were arrested on Wednesday by the National Crime Agency (NCA) as part of its inquiries into the case, according to the BBC.

A spokesperson for the UK's data protection watchdog, the Information Commissioner's Office (ICO), told Out-Law.com: "We’re aware of this incident and are making enquiries. The law requires that organisations take appropriate measures to keep people’s personal data secure. As the regulator, it’s our job to act on behalf of consumers to see whether that’s happened."

In a comment posted on its Facebook page, Three said that it had established that the breach "is clearly a crime against Three as a business to attempt to fraudulently obtain mobile handsets and is not the type of issue that TalkTalk experienced where the clear target was to steal customer and financial data".

In a statement posted on its website, Three said that it has "put measures in place to stop the fraudulent activity", and said its upgrade system "does not include any customer payment, card information or bank account information".

Earlier this autumn, TalkTalk was issued with a record £400,000 fine by the ICO over failings to appropriately secure customer data, in breach of the Data Protection Act.

TalkTalk was the target of a "significant and sustained" cyber attack in October 2015 during which the personal data of approximately 157,000 customers was compromised. The ICO investigated the incident and said it found a number of "inadequacies" with the company's data security practices. The "matters of serious oversight" included operating outdated software and not undertaking "appropriate proactive monitoring" for system vulnerabilities, the ICO said.

In its statement, Three said it has witnessed "an increasing level of attempted handset fraud" within the past month, including "higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices". It said it has been "working closely with the police and relevant authorities" on the issue.

"To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," Three said. "The investigation is ongoing and we have taken a number of steps to further strengthen our controls."

"We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible," it said.

Earlier this week, the ICO reported an increase in the number of 'cyber incidents' being reported to it, but confirmed that data breaches still mostly stem personal data being posted or faxed to the wrong recipient or from a loss or theft of paperwork.