Mobile operator Three UK has revealed that 76,373 more customers than initially reported were affected by last year’s data breach of their database (i.e. users eligible for a phone upgrade), which means that a total of 210,000+ users had their personal data compromised (up from 133,827).
The original breach saw several hackers or fraudsters use “authorised logins” to access Three UK’s internal customer database, which contained the names, phone numbers, addresses, dates of birth and some emails for a large number of the operators’ 9 million customers in the United Kingdom. Mercifully the database did not contain any financial data, pin numbers or account passwords.
After this the fraudsters used the data to order and sell on new handsets fraudulently, which was achieved by the criminals either impersonating support agents and or placing orders for the upgraded phones and then intercepting the parcels as they arrive (related phones were then resold). At the time Three UK confirmed that three people had been arrested in connection with the crime and all have since been released on bail.
This week the operator has revealed that “additional files were recovered” during the investigation, which have now been analysed and as a result they’ve felt it necessary to contact a further 76,373 customers in order to advise them of the situation.
Three UK Statement
We have continued to work closely with law enforcement to support the ongoing investigation. During the course of the investigation, additional files were recovered as part of the same activity which we have analysed.
We have contacted a further 76,373 customers to advise them of the new information and apologise for the inconvenience and concern this may cause. No fraudulent activity has been identified against the customers we have contacted today.
We can re-confirm that no financial information, bank details, passwords or pin numbers were viewed or obtained as they are not stored on the upgrade system.
By the sounds of it Three UK uncovered another stash of customer data that the fraudsters hadn’t yet had a chance to abuse. The investigation is on-going and it sounds as if the police have plenty of evidence to use against the dastardly crims.
Meanwhile the operator said they “don’t believe that any additional records were obtained,” although customers are still advised to be cautious. “If it is a call from Three and you are in any doubt that it is genuine, end the call and call us back on 333 from your Three mobile. As always, customers should never give out any banking information.”