In a twist, thieves in the U.K. hacked personal data to steal high-end smartphones, rather than hacking phones to steal personal data.
The thefts came to light after mobile network operator Three noticed a recent increase in levels of handset fraud, the company said Friday.
By accessing the system Three uses to manage handset upgrades, the perpetrators were able to intercept new high-end handsets on the way to the operator's customers.
Three, however, said only eight devices have been illegally obtained through the upgrade activity -- compared to 400 stolen from its retail stores over the past four weeks.
The company sought to reassure customers concerned that their personal information may have been accessed in the attempt to steal the upgrade phones.
"We've already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk," Three said on its Facebook page Friday. It promised to contact affected customers as soon as possible.
Police have clearly been investigating the case for some time: They made three arrests related to the case on Wednesday, a spokeswoman for the U.K.'s National Crime Agency said via email.
Two men, 39 and 48 years old, respectively, were arrested on suspicion of computer misuse offenses, while a third, 35-year-old man, was arrested on suspicion of attempting to pervert the course of justice. They have since been released on bail pending further inquiries, she said.
Three said the perpetrators used authorized logins to its upgrade system, but under the U.K.'s 1990 Computer Misuse Act, computer misuse offenses involve either unauthorized access to a computer system, or the making, supplying or obtaining of articles (including programs or data held in electronic form) for use in such offenses.
That suggests the data breach could have been an inside job rather than a hack, with employees of Three either using genuine login credentials to perform acts not in their job description (such as stealing customers' personal information), or supplying those credentials to a third party who then accessed the database.
The data accessed "does not include any customer payment, card information or bank account information," Three said. But mobile network operators do typically store customer names, addresses, dates of birth, phone numbers and other electronic contact information, any or all of which may have been stolen.