Three, one of Britain's biggest mobile phone companies, said late on Thursday hackers had accessed its customer upgrade database after using employee logins.
The cyber security breach could put the private information of two-thirds of Three's 9 million customers at risk, the Telegraph said, citing sources familiar with the incident.
"This upgrade system does not include any customer payment, card information or bank account information," Three spokesman Nicholas Carter told Reuters in an email.
The company, part of CK Hutchison Holdings Ltd, said that over the last four weeks Three has seen an increasing level of attempted handset fraud.
"To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," Carter said.
"This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices."
Three men have been arrested in connection with the breach at Three, the BBC reported on Friday.
The National Crime Agency (NCA), as part of its inquiries, arrested a man from Kent and two men from Manchester on Wednesday, the BBC reported.
All three have been released on bail pending further enquiries, the BBC added citing an NCA spokeswoman.
The NCA declined to comment.
Britain's data protection regulator fined broadband provider TalkTalk Telecom Group Plc 400,000 pounds ($496,200) in October for security failings that enabled a cyber attack last year, which affected around 4 percent of the company's 4 million customers and cost it around 60 million pounds.
