Data breach at Three, millions of customer details potentially exposed

Criminals said to have stolen handsets from stores and accessed upgrade database.

Data breach at Three, millions of customer details potentially exposed

The Telegraph writes that customers of the UK's Three mobile network may have had personal details exposed (names, phone numbers, addresses and dates of birth) after the company's upgrade database was breached:

Three has suffered a massive data breach in which the personal information and contact details of millions of customers could have been accessed. It is believed to one of the largest hacks of its kind to affect people living in Britain.

The National Crime Agency (NCA) is said to have made a number of arrests in connection with the breach.

Here's a statement from Three itself, which pours some cold water on the idea that this was technically a "hack" and instead suggests that the criminals may have used an employee's legitimate username and password to access the sensitive database:

"Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices."

"We've been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity."

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system."

Apparently financial information, including bank and credit card details, was not included in the database - but it sounds as if the criminals may have had enough information about Three customers to potentially extract banking details via scam phone calls and the like (a technique we have often seen used against TalkTalk customers in the past).

As a result, I would recommend that Three customers exercise great caution if they are contacted by someone claiming to be from Three.

Remember when you get calls like this, you shouldn't have to share personal information to prove who you are - they should have to prove who they are. If in any doubt, go to the company's official website (check the URL is the right one!) and call up their customer service department for guidance.

TalkTalk treated its scammed customers poorly after its headline-hitting data breach. Let's hope that Three does a better job.

Further reading: More details emerge regarding the Three data breach

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

No comments yet.

Leave a Reply