*Update* Three UK Suffer Major Data Breach – 133,827 Customers Have Details Stolen
Major UK carrier Three which is responsible for 37% of all UK Mobile data has admitted Thursday evening that their customer database was breached using an employee’s login. Up to six million of the company’s nine million customers could be at risk and that the data accessed included names, phone numbers, addresses and dates of birth, they also stated that no financial information was accessed.
“As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done. I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused. Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue. On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently. We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts. We have been working closely with law enforcement agencies on this matter and three arrests have been made. I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.“
“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices. We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.“
The company has since said that it has strengthened data security and will be contacting the eight victims of handset fraud. The National Crime Agency has reported that a 35 year old male from Manchester has been arrested on suspicion of attempting to pervert the course of justice, while a 48 year old male from Kent and a 39 year old male from Manchester have been arrested under suspicion of computer misuse offences. All three have since been released on bail pending further investigation.
Any customers that are concerned about their account or data can contact Three by calling 333 from a Three mobile or on 0333 338 1001 from any other phone to enquire if their details were accessed. All customers should pay particular attention to potential phishing attacks, as stolen details can be used to make it appear as though an email or phone call is from a business such as a bank that you would normally trust. It is also advisable to change the online password for your Three account and any other website or service that uses the same password.
The legal repercussions of this breach are still unclear however, it is possible that the Information Commissioner’s Office will give Three a fine of up to £500,000. The largest fine issued by the ICO so far has been £400,000 to ISP TalkTalk after a data breach affecting 157,000 customers.
This article will continue to be updated as we learn more