Three, the smallest of Britain's four mobile phone networks, said yesterday that hackers had accessed its customer upgrade database after using employee logins.
The cyber security breach could put the private information of two-thirds of Three's nine million customers at risk, the Telegraph said, citing sources familiar with the incident.
Three said it was investigating how many customers were affected and would be contacting them as soon as possible.
It is understood no Irish customers of Three are affected by the breach.
"This upgrade system does not include any customer payment, card information or bank account information," Three spokesman Nicholas Carter told Reuters in an email.
The company, part of CK Hutchison Holdings, said that over the last four weeks Three has seen an increasing level of attempted handset fraud.
"To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," Mr Carter said.
"This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices."
Three men have been arrested in connection with the breach at Three, the UK National Crime Agency (NCA) said today.
A 48-year-old man from Kent, southern England, and a 39-year-old man from Manchester, northern England were arrested on suspicion of computer misuse offences, and a 35-year-old man, also from Manchester, was arrested on suspicion of attempting to pervert the course of justice, the NCA said.
All three have been released on bail pending further enquiries, a spokesman said.
Britain's data protection regulator fined broadband provider TalkTalk £400,000 in October for security failings that enabled a cyber attack last year, which affected around 4% of the company's 4 million customers and cost it around £60 million.
