Three suffers another data breach

published 21 March 2017

UK mobile operator Three may have landed itself in hot water again, after a data breach resulted in some customers being presented with the telephone histories and personal details of other users.

When some Three users logged into the My3 account management portal, they found themselves presented with the names, addresses and phone numbers for random strangers, as well as complete, time-stamped records of which numbers these people called and texted.

The company's My3 portal was taken offline for maintenance, which drew ire from customers who were left unable to top up or check their balances.

"We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3," the company said in a statement. "No financial details were viewable during this time and we are investigating the matter."

This incident follows on from an attack earlier this year in which data thieves made off with the personal information of 133,000 users. Security experts have chastised the company for not doing more to secure its systems in the wake of the previous breach.

""In another blow to a seemingly endless battle for companies vs. customers' data, Three has suffered another breach of information," said Smoothwall corporate security specialist David Navin. "Reminiscent of multiple attacks against TalkTalk in a short space of time, Three will have some tough questions to answer, such as why their customer data wasn't consequently watertight and 100% secure."

John Madelin, CEO of security specialist Reliance ASCN also pointed out that while no financial data was exposed, the information that was visible is just as dangerous.

"It's extremely concerning that strangers have been able to see each other's account detail," he said. "Even information such as names, addresses, phone numbers and call histories can be used for criminal activities if in the wrong hands."

"While at the moment this doesn't look like a true security breach, it's clear that Three is struggling to manage basic customer privacy."

Privacy campaign group Big Brother Watch toldIT Prothe latest breach casts doubt over telecom companies' ability to store 12 months of users' web browsing histories, as they will soon be required to under the Investigatory Powers Act.

Research director Daniel Nesbitt said: "Any breach of this kind of personal information has the potential to be very serious.

"In the wrong hands information such as the names, addresses and call histories of customers can be used to paint an intimate picture of a person's life.

"With the Investigatory Powers Act mandating that companies hold onto records of all of their customers internet activity for up to 12 months this threat merely increases. This data has to be kept secure and there must be proper transparency about how the system is working, if it isn't yielding results then it should be scrapped."

Image credit: Three UK

Investigatory Powers Bill passes through Parliament Over 133,000 Three mobile customers hit by data breach

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.

Get the ITPro daily newsletter