By Subrat Patnaik
(Reuters) - Three, the smallest of Britain's four mobile phone networks, said late on Thursday hackers had accessed its customer upgrade database after using employee logins.
The cyber security breach could put the private information of two-thirds of Three's 9 million customers at risk, the Telegraph said, citing sources familiar with the incident.
Three said it was investigating how many customers were affected and would be contacting them as soon as possible.
"This upgrade system does not include any customer payment, card information or bank account information," Three spokesman Nicholas Carter told Reuters in an email.
The company, part of CK Hutchison Holdings Ltd, said that over the last four weeks Three has seen an increasing level of attempted handset fraud.
"To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," Carter said.
"This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices."
Three men have been arrested in connection with the breach at Three, the National Crime Agency (NCA) said on Friday.
A 48-year-old man from Kent, southern England, and a 39-year-old man from Manchester, northern England were arrested on suspicion of computer misuse offences, and a 35-year-old man, also from Manchester, was arrested on suspicion of attempting to pervert the course of justice, the NCA said.
All three have been released on bail pending further enquiries, a spokesman said.
Britain's data protection regulator fined broadband provider TalkTalk Telecom Group Plc 400,000 pounds in October for security failings that enabled a cyber attack last year, which affected around 4 percent of the company's 4 million customers and cost it around 60 million pounds.
(Reporting by Subrat Patnaik in Bengaluru and Paul Sandle in London; Editing by Richard Chang and Elaine Hardcastle)