Police have arrested three men in connection with a data breach at the Three mobile network.
The company said details, including names and addresses, had been accessed by using a login to its database of customers eligible for a phone upgrade.
It said the breach then allowed upgrade devices to be “unlawfully intercepted”.
On Wednesday the National Crime Agency (NCA) said it had arrested two men from Manchester and one man from Kent as part of its inquiries.
A 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Greater Manchester, on suspicion of computer misuse offences, the NCA said.
The third man, a 35-year old from Moston, Greater Manchester, was arrested on suspicion of attempting to pervert the course of justice.
All three have been released on bail pending further enquiries, an NCA spokeswoman said.
Three, which has nine million customers, is investigating how many accounts were accessed, but said the database did not contain payment, card or bank details.
A spokesman for the company said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud.
“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the police and relevant authorities.
“To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.”
He added: “In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.
“This upgrade system does not include any customer payment, card information or bank account information.”
The company said it has since strengthened its data controls and is contacting the eight handset fraud victims.
The use of a login to access the Three database marks it out from a hacking attack on Talk Talk, which led to the theft of the personal data of nearly 157,000 customers.
Talk Talk was fined £400,000 last month after hackers targeted vulnerable web pages to steal customer information in October last year.