» ISP News » 

UPDATE2 Data Breach At Three UK Impacts 133,827 Mobile Customers

Friday, November 18th, 2016 (8:38 am) - Score 2,293

Six million customers of mobile operator Three UK could be at risk after the provider admitted that a database of users (those eligible for a phone upgrade) was breached. Three people have already been arrested in connection with the situation, but the operator has done little to inform users.

A quick visit to Three UK’s website this morning reveals no mention of the situation and it’s a similar story on their Facebook and Twitter pages, all of which are devoid of related updates. Meanwhile plenty of customers, many of whom are angry that the mainstream news learnt of the breach before they did, are clamouring for information.

At this stage what we know is that hackers or fraudsters used “authorised logins” to access Three UK’s internal customer database, which contained the names, phone numbers, addresses and dates of birth (no mention of account passwords.. yet) for 6 million of the operators’ 9 million customers in the United Kingdom.

Mercifully the database, which listed customers who are eligible for a handset upgrade, did not contain any financial data (NO credit card numbers etc.).

A Spokesperson for Three UK said (Telegraph):

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”

The fact that no financial data was accessed is somewhat moot since the fraudsters can still use the exposed information to scam Three UK’s customers, such as by either impersonating support agents or placing orders for the upgraded phones and then intercepting the parcels as they arrive (these phones are then resold). Customers appear to have reported both types of fraud.

At this stage Three UK is still investigating and as such they do not know if all of the exposed customer details were stolen from their servers or if the activity was more targeted. The issue itself only came to light after customers began reporting a rise in related scams.

Apparently three men have already been arrested in connection with the breach, including one 35-year-old man who was arrested on suspicion of attempting to pervert the course of justice. The other two men were a little older and both were arrested under suspicion of breaching the Computer Misuse Act.

A few more details from Three UK would be nice, but so far they don’t appear to be taking a leaf out of TalkTalk’s more open book approach. Mind you TalkTalk still ended up being fined £400,000 by the ICO (here).

UPDATE 8:56am

After some prodding Three UK has put out a statement to customers, albeit so far only via their Facebook page.

Three UK Statement to Customers

We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity.

We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.

UPDATE 19th Nov 2016

The CEO of Three UK has confirmed that information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information were stored on the upgrade system in question.

David Dyson, CEO of Three UK, said:

“As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.

I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.

Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.

On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.

I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.

We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.

We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have.

As an additional precaution we have put in place increased security for all these customer accounts.

We have been working closely with law enforcement agencies on this matter and three arrests have been made.

I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.”

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
15 Responses
  1. TWKND says:

    Well I guess I should finally get off my ass and start using unique passwords.

    1. TWKND says:

      Should probably clarify they’re not all identical, I’m careful with my most important accounts

    2. DTMark says:

      I had an old Skype account compromised recently. It may have been using credentials previously published on the internet which were obtained from Dropbox, Linked In, or Adobe. It may not.

      The only way to close the Skype account, or change the password, was to first link that to the rest of my Microsoft account (actually, they had linked it anyway as the email address matched, they just wanted me to authorise what they had done already without my consent) and then close the Microsoft account completely. Under no circumstances were Microsoft going to de-link it for me to prevent cross-compromise.

      I now have a separate Microsoft account for each service that I use, a local PC login (not with a Microsoft account) and use a different Microsoft account for my mobile phone.

      These “single sign ins” might well be convenient, but they’re a total security disaster if/when compromised. I’d rather have the inconvenient option.

      If using the same password for a set of single sign in sites like Microsoft, Google et al, and other sites too, as I suspect many do (not directed at anyone here), life will rapidly become a misery if just one of those is ever compromised. I suspect we’re going to see some high profile cases in the coming years with things like this.

  2. Mml says:

    Was ISPreview under attack too this morning when it was showing unable to connect to database error?

    1. Mark Jackson says:

      No, hardware failure of the database server. Some new kit was put in to fix it.

  3. john says:

    Nice to see somewhere is reporting it – shame it’s NOT three themselves

    1. Mml says:

      I first saw it tonight in some Russian media. Then the story appeared on BBC News, then here.

    2. john says:

      It seems to have arrived on the portal yesterday.. better late than never :/

  4. dragoneast says:

    I suspect this sort of activity is going on all the time. And that what we hear about is the tip of the iceberg. One of the joys of commerce. Still, it’s always nice to know.

    1. john says:

      Unless I have read it wrong it does seem like an inside job, Or someone who has access

    2. Mark Jackson says:

      It does sound like an inside job, although equally somebody could have brute forced a login and gained remote access to the operators corporate VPN. We don’t know yet and probably won’t find out the full details until the ICO conclude their investigation.

    3. john says:

      From what I have read sounds like it was done using internal staff credentials. I guess the question now is, was it done with or without their knowledge?

  5. dragoneast says:

    It’s not just those eligible for a handset upgrade that are affected. Mid-contract customers are affected too.

  6. Shane says:

    For all you passworders. I recommend using LAST PASS.

    for three customers – does this mean we will get come compensation ?

    1. john says:

      Why should you? three took the hit not anyone who’s account was used.

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £20.00
    Speed: 150Mbps, Unlimited
    Gift: None
  • Virgin Media £24.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00
    Speed: 150Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 30Mbps, Unlimited
    Gift: None
  • Virgin Media £20.00
    Speed 54Mbps, Unlimited
    Gift: None
  • NOW £21.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99
    Speed 35Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4030)
  2. BT (3135)
  3. Politics (2089)
  4. Building Digital UK (2009)
  5. Openreach (1951)
  6. FTTC (1917)
  7. Business (1811)
  8. Mobile Broadband (1590)
  9. Statistics (1493)
  10. FTTH (1370)
  11. 4G (1361)
  12. Virgin Media (1266)
  13. Ofcom Regulation (1230)
  14. Wireless Internet (1224)
  15. Fibre Optic (1223)
  16. Vodafone (920)
  17. EE (900)
  18. 5G (878)
  19. TalkTalk (817)
  20. Sky Broadband (782)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact