Authorised login used in breach of six million Three UK customer details

(Image Credit: Three UK)

Around six million Three UK customers have been put at risk after the operator's database was compromised using authorised credentials.

While no direct financial information was leaked in the breach, valuable details including names, phone numbers, addresses, and dates of birth were accessed which could be sold or used for scam and fraud purposes. 

“For years the industry has said the ‘insider threat’ is the biggest risk to organisations. This is case and point. While it's conceivable that user credentials were obtained through social engineering, swift arrests suggest a chain of associated events can likely be traced and compromise comes from insider intent," comments Chris Hodson, EMEA CISO at Zscaler. 

Multiple arrests have already been made in connection with the incident which indicates the breach was not well coordinated with events that led to a quick understanding of the perpetrators. 

A spokesman for the National Crime Agency said: "On Wednesday 16 November 2016, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent and a 39-year old man from Ashton-under-Lyne, Manchester on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester on suspicion of attempting to pervert the course of justice." 

Three UK has come under fire due to its mishandling of the situation and lack of providing customers with adequate information. As of writing, no splash page has been posted on Three's website or messages sent directly to affected customers. 

The only public statement made so far is on their Facebook page which reads: 

"We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. 

We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this."

UK ISP TalkTalk suffered a data breach last year which resulted in a £400,000 fine. Under the law, you must be transparent about breaches of public information. TalkTalk was open regarding the breach, although was fined due to poor security measures (despite two previous attacks exploiting the same SQL injection vulnerability.) 

TalkTalk's record fine was a warning for other companies to bolster the security protecting customer details. “TalkTalk’s failure to implement the most basic cyber-security measures allowed hackers to penetrate TalkTalk’s systems with ease," said Elizabeth Denham, Information Commissioner. "Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” 

In the case of Three, it seems no vulnerability was compromised and rather a misuse of authorised logins were used. The operator could avoid the hefty fine of TalkTalk as long as more details about the breach don't come to light which indicates negligence, and further steps are taken in ensuring customers are informed about their leaked data. 

When a hack takes place, consumers expect to be told by the company instead of finding out via the morning news that their personal data may have been compromised. As such, it is vital that companies have a data loss response plan, including a crisis communications strategy, which can be set into action within minutes or hours. This means customers are notified immediately and helps the company to retain some credibility and integrity," says Nigel Hawthorn, chief European spokesperson at Skyhigh Networks. 

Even if the breach was difficult to avoid, there will likely be some impact on Three's business. TalkTalk reported a 50 percent decline in pre-tax profit a year after it suffered its cyber attack. As the UK's smallest mobile operator, this could be another large blow for Three after having its bid to merge operations with O2 rejected earlier this year. 

What are your thoughts on Three's customer data breach? Let us know in the comments.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.