Mobile provider Three has confirmed that it has suffered a data breach resulting in the theft of personal information covering around six million of its customers.
In a somewhat disingenuous statement to press entitled 'handset fraud investigation
' made early this morning, Three dropped the bombshell that attackers have made off with the personal details covering an estimated six million of its nine million customers. Interestingly, there is evidence the attack may have been an inside job: Rather than breaking through a security vulnerability, the attackers are claimed to have used valid staff credentials to leach data from Three's internal upgrade database.
'Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices,
' the company's statement claimed. 'We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and 8 devices have been illegally obtained through the upgrade activity. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.
According to Three, the upgrade system is held separately to its primary customer database. As a result, the data accessible to the attackers was limited: names, addresses, phone numbers, and dates of birth were included, but not bank or payment card information. Nevertheless, the data proved enough not only for the recipients to carry out the handset fraud scam unearthed by Three but also to contact its customers and attempt to social engineer access to the bank accounts and card details, according to coverage in The Telegraph
Three has indicated that it is continuing its investigation into the breach and has 'taken a number of steps to further strengthen our controls.
has confirmed the arrest of three individuals with the National Crime Agency (NCA). Two, a 48 year old from Kent and a 39 year old from Manchester, are suspected of offences under the Computer Misuse Act; a third, 35 years old from Manchester, is suspected of perverting the course of justice. All have been released on bail.
Update November 21st, 10:02
Three chief executive officer Dave Dyson has issued a statement downplaying the severity of the breach, claiming that only a minority of accounts were affected and that the purpose was handset upgrade fraud against Three itself rather than direct exploitation of users' account details. ' In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question,
' Dyson's statement claimed. 'We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
Dyson has indicated that all affected customers have now been contacted.