Major mobile network provider Three admitted on Thursday that its upgrade database had been targeted by hackers who aimed to steal phones from the company.
The system was accessed using stolen employee login details and contains customer details, but no payment or card information.
In a letter sent out to customers Friday evening, Three CEO Dave Tyson said eight customers had been "unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those device." In total, information on 133,827 customers was taken, he added.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently," he said, apologizing for the breach. "We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts."
Three is far from the first British network to have suffered a security breach. Last year both TalkTalk and Vodafone suffered hacks of their own, but the major difference here is that it does not appear to have been data that hackers were after. Instead, Three said, the aim has been to pilfer phones and commit handset fraud.
The company has noticed an increased amount of theft in retail stores and an unusual number of attempts to intercept upgrade phones being sent to customers over the past four weeks, it said. With the help of police, Three has so far established that 400 high-end phones have been stolen through burglaries and eight devices have been illegally obtained through upgrade activity.
The National Crime Agency confirmed on Friday that it had arrested one man from Orpington, Kent and another man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences. It also arrested another man from Manchester on suspicion of attempting to pervert the course of justice. All three have been released on bail pending further enquiries.
Updated at 3:38 p.m. GMT to include arrest and bail information and again at 11:27 p.m. GMT with a new statement from Three including the number of customers affected.