Three UK has confirmed that criminals were able to access the details of 133,827 customers last week, but said that the data itself was not the target.
The mobile operator revealed on Friday that fraudsters had accessed its upgrade system via authorised log-ins in a bid to steal high-end smartphones.
It was unsure how many of its nine million subscribers were affected, but Three released a statement from CEO David Dyson confirming the exact figure.
Details including names, contract terms, handset types, account numbers, billing methods, and billing dates of 107,102 customers were compromised.
A further 26,725 customers had details about their current and previous address, date of birth, gender, telephone number, email address, marital status and employment status accessed.
No bank details, passwords, pin numbers, payment information or credit/debit card information was stored on the database in question, and so is not at risk, according to Three.
However, it warned customers to remain cautious about anyone contacting them.
The UK’s National Crime Agency (NCA) arrested three people in connection with the case last week.
Three and the NCA said the investigation is ongoing.
“We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently,” Dyson said.
“We are contacting all of these customers… to individually confirm what information has been accessed and directly answer any questions they have."
He added: “As an additional precaution we have put in place increased security for all these customer accounts.
“I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.”