Three Mobile have admitted suffering a data breach, a breach that could put at risk the personal details of up to 6 million customers. The hackers successfully gained access to the Three Customer Upgrade Database by using an employee login. Three have admitted that details from 130,000 of their customers is known to have been stolen.
Data stolen in the hack includes names, addresses, and dates of birth. The purpose of the hack was to steal phones, by triggering an upgrade within Three’s systems and intercepting the mobile handset in transit. Three have admitted the hackers successfully managed to order and steal eight phones using the stolen customer details.
Weak password practices by employees are responsible for 65% of data breaches, so it’s no surprise that once again the attack vector is unauthorised credential-based access. Three have not yet disclosed just how the internal login details were obtained, whether by social engineering, insecure storage of passwords or whether it was simply a weak password that was easy for a hacker to work out.
In an attempt to placate Three customers, CEO David Dyson, issued the following statement:
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done. I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused. Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices. I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently. We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts. We have been working closely with law enforcement agencies on this matter and three arrests have been made. I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise. [David Dyson, CEO]
Three have carried out an initial investigation, in which they found that for 107,102 customers, the following information could have been obtained: Whether they are a handset or SIM only customer, contract start and end date, handset type, Three account number, how long they’ve been with Three, whether the bill is paid by cash or card, billing date and name. For a further 26,725 customers the following information could have been obtained: Name, address, date of birth, gender, handset type, contract start and end date, whether they are a handset or SIM only customer, telephone number, email address, previous address, marital status, employment status, Three account number and phone number and how long they’ve been with Three.
Three Customers Beware of Phishing
We expect Three customers to now be targeted by phishing scams where other cyber criminals play on the fear amongst Three users of having had their account details stolen. Three customers should be wary of emails purporting to come from Three asking them to verify or reset account credentials. These will most-likely be phishing emails that link to spoofed websites where customers' login details are captured and stolen.
Should the ICO decide that Three have been negligent, the variety of imposed sanctions could vary from forcing an external audit of the firm to criminal prosecution. The cost to the organisation won’t be limited to remedying the damage or implementing a solution, reputational and financial damage can be significant.
The recent TalkTalk data breach is believed to have cost the organisation £40m, and resulted in 100,000 customers being lost immediately following the data breach. When employees have to manage multiple passwords, security is often the first compromise.
2 out of every 3 attacks focus on credentials, with 63% of confirmed breaches involve taking advantage of weak, default or stolen passwords. It’s no surprise that credentials were responsible for this latest breach at Three Mobile, what is surprising is that they left themselves vulnerable to a credential-based attack through Insider Threat.