Over 133,000 Three mobile customers hit by data breach


Nearly 134,000 customers of the Three mobile network have had their data accessed by criminals, the sompany has admitted.

CEO David Dyson issued a statement on Friday evening, aproximately 18 hours after reports of a data breach first came to light, seeking to reassure customers, but also revealing new details as to the scope of the attack.

"I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question," said Dyson.

In a little over 107,000the accounts affected, criminals could have seen information such as the customer's phone number, how long they have been a Three customer, their handset type and whether they are a SIM-only or monthly contract customer, as well as whether their bill is paid by cash or by card.

For 26,725 customers, however, breach potentially affects additional data, including their name, address, date of birth, email address, previous addresses, marital status and employment status.

The company has said it will be contacting customers on an individual basis if they are one of the 133,827 affected and informing them which category they fall into.

Dyson sought to soothe fears of a wide-scale data leak, however, saying:"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently."

Earlier in the day it was revealed that eight 'high end' mobile devices had been fraudulently issued using Three's upgrade systems, with the perpetrators apparently intending to intercept and resell the devices. So far, it's unclear as to whether they managed to achieve these aims.

This is a developing story, which will be updated as more information becomes available.

Responses to cyber attacks are too reactive. Learn how to monitor and tackle threats to your business much more swiftly bydownloading this Intel whitepaper.

18/11/2016 (11.39am):Three acknowledges data breach

Three UK has finally issued an official statement acknowledging the upgrade scam first reported last night, in which "authorised logins" for the company's upgrade system were used to issue new handsets to customers, which were then intercepted.

"Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices," the company said. "We've been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and 8 devices have been illegally obtained through the upgrade activity.

"The investigation is ongoing and we have taken a number of steps to further strengthen our controls."

The company has sought to reassure customers that the upgrade system used to issue the eight devices that were illegally intercepted contains no customer payment, card or bank account information.

Earlier today, the ICO toldIT Proit was aware of the situation and was investigating. The National Crime Agency, meanwhile, made two arrests on Wednesday under the Computer Misuse Act and one on suspicion of attempting to pervert the course of justice that are allegedly in relation to the fraudulent upgrade scheme, although the NCA has not yet confirmed this.

18/11/2016 (08.30am):ICO investigating Three 'data breach'

Three men have reportedly been arrested in relation to a data breach at mobile phone network Three. Two of the men, aged 39 and 35, were arrested by the National Crime Agency in the Greater Manchester area on Wednesday, while the third, aged 48, was arrested in Orpington Kent, according toSky News.

It's understood that the three are suspected of being involved in a scam which saw thieves allegedly take information from Three's upgrade database and use it to issue eight new phones. It is alleged that these phones were then intercepted on their way to the Three customer whose account was used to generate the request.

Although there have been reports that the three were being investigated on suspicion of fraud, Sky News reported that thetwo older men were in fact arrested on suspicion of offences under the Computer Misuse Act, while the younger man was arrested on suspicion of attempting to pervert the course of justice. All three are understood to have been released on bail.

The NCA confirmed the details of the arrests toIT Pro but did not confirm if they were related to the reported Three incident.

The Information Commissioner's Office (ICO), meanwhile, toldIT Pro that it is "aware of the incident and [is] making enquiries".

"The law requires that organisations take appropriate measures to keep people's personal data secure. As the regulator, it's our job to act on behalf of consumers to see whether that's happened," it added.

It so far remains unclear at this point how the data came to be compromised, other than an employee login was used, nor how many Three customers have been affected - although it has been reported elsewhere that around six million accounts have been accessed,IT Pro understands the number to be significantly lower.

IT Procontacted Three for clarification of these points but had not received a response at the time of publication.

17/11/2016:Three mobile network hit by 'data breach'

UK mobile network Three has been hit by what is being reported as a major security breach, with customer information including names and phone numbers allegedly accessed illegally.

Three confirmed late on Thursday night that the breach had taken place, with the data, which was stored in a customer upgrade database, accessed via an employee login.

Although the Telegraph, which was first to break the story, has reported that "the private information of two-thirds of the company's nine million customers could be at risk", IT Pro understands the number affected is in fact much lower and potentially in the dozens, rather than millions.

IT Pro contacted Three for a statement on the reports and confirmation of how many people have potentially been affected but had not received a response at the time of publication.

It is also unclear at this point whether or not the company was hit by external hackers and if any data was actually exfiltrated.

The news comes almost a year to the day after another UK mobile network, TalkTalk, was hit by a massive cyber breach, which affected over 150,000 customers. Earlier this week, a 17-year-old boy admitted to carrying out the attack.

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.