Three's website exposes mobile phone customers' details to strangers

Technical snafu rather than hack likely to be the cause.

Three's website exposes mobile phone customers' details to strangers

Three appears to have made a blunder, after customers logging into the British mobile phone company's website found themselves looking at other customers' accounts - including the names, addresses, call histories and data usage of complete strangers.

The Guardian describes how one customer, Andy Fidler, found the Three app on his mobile phone wasn't working - and so he decided to log into Three's website instead:

"I managed to successfully download a complete stranger’s phone bill. All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted."

Fortunately, bank details were not accessible.

He wasn't the only one to stumble across the problem - which appears to be more of a technical screw-up than a malicious hack - as posts on Three's official Facebook page reveal.

Three complaint

A Three spokesperson says that they are aware of the problem and are investigating.

But one has to wonder how many customers could have been put at risk of having their private data exposed, and for how long the problem has been present.

The Information Commissioner's Office has confirmed it will be "looking into this potential incident involving Three", and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed.

Last November, in what appears to be an unconnected incident, Three revealed that its upgrade database had been breached, exposing the names, phone numbers, addresses and dates of birth of over 130,000 customers.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. Bob

    March 21, 2017 at 6:31 pm #

    Unacceptable. I'd encourage anybody affected by this to report Three to the Information Commissioner's Office and then seek independent legal advice.

    https://ico.org.uk/

  2. Mark Jacobs

    March 22, 2017 at 10:13 am #

    That's SQL Server for you!

Leave a Reply