The company said fraudsters had accessed personal data, including names and addresses, by using authorised logins to its database of customers eligible for an upgraded handset.
They are then understood to have used the information to arrange for upgraded phones, believed to include iPhone and Samsung handsets, to be sent to eight customers before intercepting them.
On Wednesday, the National Crime Agency arrested a 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences as well as a 35-year old man from Moston, Manchester, on suspicion of attempting to pervert the course of justice.
Three, which has 9 million customers, said customers’ financial information was not stored on the system. An investigation into the total number affected was ongoing.
A spokesman for the firm said: “Over the last four weeks, Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”
The eight handset fraud victims had been contacted, the spokesman added. The NCA said all three men had been bailed pending further enquiries. A spokeswoman said: “As investigations are on-going no further information will be provided at this time.”
It comes after telecoms giant TalkTalk fell victim to an attack on its website on 21 October last year which resulted in the personal data of nearly 160,000 people being accessed.
The Information Commissioner’s Office fined the firm a record 400,000 last month for security failings that it said had allowed customers’ data to be accessed “with ease”.
The ICO said that in 15,656 cases, bank account details and sort codes had been accessed.