Two men in Greater Manchester have been arrested in connection with a data breach at mobile operator Three. Another man in Kent is helping police with their enquiries.
The National Crime Agency (NCA) is investigating the incident and made two arrests under the Computer Misuse Act and one on suspicion of attempting to pervert the course of justice.
“All three have since been released on bail pending further enquiries. As investigations are ongoing, no further information will be provided at this time,” a spokesperson for the NCA said.
According to reports in The Telegraph, hackers managed to gain access to Three's upgrade database using legitimate employee credentials. The access then allowed them to process fraudulent upgrades for premium smartphones with the aim of intercepting the handsets before they reached customers.
In a statement, Three acknowledged the issue.
“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices,” the firm said in a statement.
“We've been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”
The Information Commissioner's Office told SCMagazineUK.com that it was aware of the incident and was making inquiries.
“The law requires that organisations take appropriate measures to keep people's personal data secure. As the regulator, it's our job to act on behalf of consumers to see whether that's happened,” it said.
Dave Palmer, director of Technology at Darktrace, told SC that the attack begs the question: would my business be able to identify that apparently legitimate database accesses were in fact fraudulent?
“Increasingly we are seeing wily hackers use employee logins to disguise themselves on the network and carry out attacks from the inside undetected. This highlights how even organisations that have deployed standard security systems can no longer assume they are safe,” he said.
“To avoid cyber-crisis, organisations big and small need to adopt new technologies that identify unusual behaviours within their borders early, no matter how subtle and discrete.”
Mark O'Halloran, partner at leading law firm Coffin Mew, told SC that people will always be the weak link in cyber-security and there are many ways the hacker could have obtained the log in details.
“The most common is spear-phishing where the hacker sends an email which appears to come from the IT department asking the employee to log in again. We've probably all received those emails, apparently from our bank, asking us to check our account – it's the same principle and it's so easy, when you're busy at work, to fall for it,” he said.