» ISP News » 

UPDATE2 Data Breach At Three UK Impacts 133,827 Mobile Customers

Posted Friday, November 18th, 2016 (8:38 am) by Mark Jackson (Score 2,196)
three uk mobile broadband

Six million customers of mobile operator Three UK could be at risk after the provider admitted that a database of users (those eligible for a phone upgrade) was breached. Three people have already been arrested in connection with the situation, but the operator has done little to inform users.

A quick visit to Three UK’s website this morning reveals no mention of the situation and it’s a similar story on their Facebook and Twitter pages, all of which are devoid of related updates. Meanwhile plenty of customers, many of whom are angry that the mainstream news learnt of the breach before they did, are clamouring for information.

At this stage what we know is that hackers or fraudsters used “authorised logins” to access Three UK’s internal customer database, which contained the names, phone numbers, addresses and dates of birth (no mention of account passwords.. yet) for 6 million of the operators’ 9 million customers in the United Kingdom.

Mercifully the database, which listed customers who are eligible for a handset upgrade, did not contain any financial data (NO credit card numbers etc.).

A Spokesperson for Three UK said (Telegraph):

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”

The fact that no financial data was accessed is somewhat moot since the fraudsters can still use the exposed information to scam Three UK’s customers, such as by either impersonating support agents or placing orders for the upgraded phones and then intercepting the parcels as they arrive (these phones are then resold). Customers appear to have reported both types of fraud.

At this stage Three UK is still investigating and as such they do not know if all of the exposed customer details were stolen from their servers or if the activity was more targeted. The issue itself only came to light after customers began reporting a rise in related scams.

Apparently three men have already been arrested in connection with the breach, including one 35-year-old man who was arrested on suspicion of attempting to pervert the course of justice. The other two men were a little older and both were arrested under suspicion of breaching the Computer Misuse Act.

A few more details from Three UK would be nice, but so far they don’t appear to be taking a leaf out of TalkTalk’s more open book approach. Mind you TalkTalk still ended up being fined £400,000 by the ICO (here).

UPDATE 8:56am

After some prodding Three UK has put out a statement to customers, albeit so far only via their Facebook page.

Three UK Statement to Customers

We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity.

We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.

UPDATE 19th Nov 2016

The CEO of Three UK has confirmed that information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information were stored on the upgrade system in question.

David Dyson, CEO of Three UK, said:

“As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.

I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.

Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.

On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.

I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.

We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.

We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have.

As an additional precaution we have put in place increased security for all these customer accounts.

We have been working closely with law enforcement agencies on this matter and three arrests have been made.

I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.”

Delicious
Add to Diigo
Leave a Comment
15 Responses
  1. TWKND

    Well I guess I should finally get off my ass and start using unique passwords.

    • TWKND

      Should probably clarify they’re not all identical, I’m careful with my most important accounts

    • DTMark

      I had an old Skype account compromised recently. It may have been using credentials previously published on the internet which were obtained from Dropbox, Linked In, or Adobe. It may not.

      The only way to close the Skype account, or change the password, was to first link that to the rest of my Microsoft account (actually, they had linked it anyway as the email address matched, they just wanted me to authorise what they had done already without my consent) and then close the Microsoft account completely. Under no circumstances were Microsoft going to de-link it for me to prevent cross-compromise.

      I now have a separate Microsoft account for each service that I use, a local PC login (not with a Microsoft account) and use a different Microsoft account for my mobile phone.

      These “single sign ins” might well be convenient, but they’re a total security disaster if/when compromised. I’d rather have the inconvenient option.

      If using the same password for a set of single sign in sites like Microsoft, Google et al, and other sites too, as I suspect many do (not directed at anyone here), life will rapidly become a misery if just one of those is ever compromised. I suspect we’re going to see some high profile cases in the coming years with things like this.

  2. Mml

    Was ISPreview under attack too this morning when it was showing unable to connect to database error?

  3. john

    Nice to see somewhere is reporting it – shame it’s NOT three themselves

  4. dragoneast

    I suspect this sort of activity is going on all the time. And that what we hear about is the tip of the iceberg. One of the joys of commerce. Still, it’s always nice to know.

    • john

      Unless I have read it wrong it does seem like an inside job, Or someone who has access

    • It does sound like an inside job, although equally somebody could have brute forced a login and gained remote access to the operators corporate VPN. We don’t know yet and probably won’t find out the full details until the ICO conclude their investigation.

    • john

      From what I have read sounds like it was done using internal staff credentials. I guess the question now is, was it done with or without their knowledge?

  5. dragoneast

    It’s not just those eligible for a handset upgrade that are affected. Mid-contract customers are affected too.

  6. Shane

    For all you passworders. I recommend using LAST PASS.

    for three customers – does this mean we will get come compensation ?

Leave a Reply

Your email address will not be published. Required fields are marked *

IMPORTANT: Javascript must be enabled to post (most browsers do this automatically). On mobile devices you may need to load the page in 'Desktop' mode to comment.


Comments RSS Feed

* Your comment might NOT appear immediately (the site cache re-syncs periodically) *
* Comments that break our rules, spam, troll or post via fake IP/proxy servers may be blocked *
Promotion
Cheapest Superfast ISPs
  • Sky Broadband £20.00 (*28.99)
    Up to 38Mbps, 25GB
    Gift: None
  • Vodafone £23.00 (*26.00)
    Up to 38Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.89 (*31.58)
    Up to 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £26.00 (*35.00)
    Up to 100Mbps, Unlimited
    Gift: None
  • bOnline £26.28 (*40.68)
    Up to 40Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Poll
*Javascript must be ON to vote*
The Top 20 Category Tags
  1. BT (1806)
  2. Broadband Delivery UK (1272)
  3. FTTC (1147)
  4. FTTP (1135)
  5. Politics (906)
  6. Openreach (860)
  7. Business (794)
  8. Fibre Optic (722)
  9. Statistics (718)
  10. Mobile Broadband (662)
  11. Wireless Internet (599)
  12. Ofcom Regulation (578)
  13. 4G (539)
  14. Virgin Media (525)
  15. FTTH (460)
  16. Sky Broadband (428)
  17. TalkTalk (402)
  18. EE (353)
  19. Security (293)
  20. 3G (255)
New Forum Topics
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules