In November 2016, Three Mobile UK — one of the UK’s major mobile network operators — disclosed a breach of its customer upgrade system. Fraudsters used compromised employee login credentials to access Three’s upgrade customer database containing records for 133,827 customers who had ordered phone upgrades. The breach was used for an unusual type of fraud: the attackers intercepted handset deliveries and diverted new premium smartphones (worth hundreds of pounds each) to fraudulent addresses. This ‘handset interception’ fraud netted the criminals numerous high-value phones. Three’s breach resulted in significant customer disruption. The UK ICO investigated and fined Three £400,000 under the pre-GDPR Data Protection Act 1998 for security failings. Three’s handling of the incident was criticised for inadequate access controls and monitoring of employee credential use. Eight individuals were subsequently arrested by the National Crime Agency in connection with the fraud. The breach was notable for demonstrating how customer database access can be monetised through physical goods fraud rather than identity theft — a less commonly discussed but highly damaging attack vector.