PR Fog
The various press reports and Three's own statements make the whole incident very confusing:
Three refers to "authorised logins to Three's upgrade system". Presumably this is an internal system and internal credentials that have been used? Or is it an internet-facing system and customer credentials that have been used?
Three refers mainly to attempted fraud (being very specific mentions about upgrades being ordered for only 8 customers) and makes little mention about data theft. Was data taken or did the intruders just have access to the database which contained the details? There is a big difference between the records of 5m customers being taken and intruders being able to view individual customer details from a database containing 5m records.
Hopefully we will find out more over the next couple of days.