UPDATE2 Data Breach At Three UK Impacts 133,827 Mobile Customers

Six million customers of mobile operator Three UK could be at risk after the provider admitted that a database of users (those eligible for a phone upgrade) was breached. Three people have already been arrested in connection with the situation, but the operator has done little to inform users.

A quick visit to Three UK’s website this morning reveals no mention of the situation and it’s a similar story on their Facebook and Twitter pages, all of which are devoid of related updates. Meanwhile plenty of customers, many of whom are angry that the mainstream news learnt of the breach before they did, are clamouring for information.

At this stage what we know is that hackers or fraudsters used “authorised logins” to access Three UK’s internal customer database, which contained the names, phone numbers, addresses and dates of birth (no mention of account passwords.. yet) for 6 million of the operators’ 9 million customers in the United Kingdom.

Mercifully the database, which listed customers who are eligible for a handset upgrade, did not contain any financial data (NO credit card numbers etc.).

A Spokesperson for Three UK said (Telegraph):

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”

The fact that no financial data was accessed is somewhat moot since the fraudsters can still use the exposed information to scam Three UK’s customers, such as by either impersonating support agents or placing orders for the upgraded phones and then intercepting the parcels as they arrive (these phones are then resold). Customers appear to have reported both types of fraud.

At this stage Three UK is still investigating and as such they do not know if all of the exposed customer details were stolen from their servers or if the activity was more targeted. The issue itself only came to light after customers began reporting a rise in related scams.

Apparently three men have already been arrested in connection with the breach, including one 35-year-old man who was arrested on suspicion of attempting to pervert the course of justice. The other two men were a little older and both were arrested under suspicion of breaching the Computer Misuse Act.

A few more details from Three UK would be nice, but so far they don’t appear to be taking a leaf out of TalkTalk’s more open book approach. Mind you TalkTalk still ended up being fined £400,000 by the ICO (here).

UPDATE 8:56am

After some prodding Three UK has put out a statement to customers, albeit so far only via their Facebook page.

Three UK Statement to Customers

We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity.

We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.

UPDATE 19th Nov 2016

The CEO of Three UK has confirmed that information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information were stored on the upgrade system in question.

David Dyson, CEO of Three UK, said:

“As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.

I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.

Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.

On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.

I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.

We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.

We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have.

As an additional precaution we have put in place increased security for all these customer accounts.

We have been working closely with law enforcement agencies on this matter and three arrests have been made.

I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.”