Three’s website exposes mobile phone customers’ details to strangers

Graham Cluley

Three's website exposes mobile phone customers' details to strangers

Three's website exposes mobile phone customers' details to strangers

Three appears to have made a blunder, after customers logging into the British mobile phone company’s website found themselves looking at other customers’ accounts – including the names, addresses, call histories and data usage of complete strangers.

The Guardian describes how one customer, Andy Fidler, found the Three app on his mobile phone wasn’t working – and so he decided to log into Three’s website instead:

“I managed to successfully download a complete stranger’s phone bill. All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted.”

Fortunately, bank details were not accessible.

He wasn’t the only one to stumble across the problem – which appears to be more of a technical screw-up than a malicious hack – as posts on Three’s official Facebook page reveal.

Three complaint

A Three spokesperson says that they are aware of the problem and are investigating.

But one has to wonder how many customers could have been put at risk of having their private data exposed, and for how long the problem has been present.

The Information Commissioner’s Office has confirmed it will be “looking into this potential incident involving Three”, and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed.

Last November, in what appears to be an unconnected incident, Three revealed that its upgrade database had been breached, exposing the names, phone numbers, addresses and dates of birth of over 130,000 customers.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Three’s website exposes mobile phone customers’ details to strangers”

  1. Unacceptable. I'd encourage anybody affected by this to report Three to the Information Commissioner's Office and then seek independent legal advice.

    https://ico.org.uk/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES