One of Britain’s biggest mobile phone companies, Three UK – which is responsible for 37% of all UK Mobile data- has admitted Thursday evening that their customer database was breached. Three Mobile admitted that hackers have successfully accessed its customer upgrade database after using an employee login.
Up to six million of the company’s nine million customers could be at risk and that the data accessed included names, phone numbers, addresses and dates of birth, they also stated that no financial information was accessed. (Notice how everything is either ‘three’ or a multiple of ‘three’ ? Bad timing, I know.)
“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices. We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”
The fact that no financial data was accessed is somewhat moot since the fraudsters can still use the exposed information to scam Three UK’s customers, such as by either impersonating support agents or placing orders for the upgraded phones and then intercepting the parcels as they arrive (these phones are then resold). Customers appear to have reported both types of fraud.
At this stage Three UK is still investigating and as such they do not know if all of the exposed customer details were stolen from their servers or if the activity was more targeted. The issue itself only came to light after customers began reporting a rise in related scams.
Any customers that are concerned about their account or data can contact Three by calling 333 from a Three mobile or on 0333 338 1001 from any other phone to enquire if their details were accessed. The Telegraph explains in detail how affected you can protect themselves.
Meanwhile, Police have arrested three men in connection with the data breach at the Three mobile network including one 35-year-old man who was arrested on suspicion of attempting to pervert the course of justice. The other two men were a little older and both were arrested under suspicion of breaching the Computer Misuse Act.
After some prodding Three UK has put out a statement to customers, albeit so far only via their Facebook page :
We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity.
We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.
Are you an affected customer? Feel free comment below.