Three mobile data hack leaves 9 million customers at risk

The company said that while names and addresses were accessed, no financial information had been compromised

Click to follow
The Independent Online

Three men have been arrested after a data breach at the Three mobile network allowed fraudsters to access personal data and steal phones.

The company said that while names and addresses were accessed, no financial information had been compromised.

Fraudsters were understood to have used authorised login information to order upgraded phones, including iPhone and Samsung handsets, to be sent to customers before intercepting them. Three, which has nine million customers, said it believed around 400 phones had been stolen.

On Wednesday, the National Crime Agency arrested a 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences as well as a 35-year old man from Moston, Manchester, on suspicion of attempting to pervert the course of justice.

A spokesman for the firm said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud.

“This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

“We’ve been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity. The investigation is ongoing and we have taken a number of steps to further strengthen our controls.

“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”

Experts raised the alarm at the ease with which confidential data was stolen. Matt Middleton-Leal, a director at security firm CyberArk said: “Once again, the story is not so much about hackers getting into a company, more how simple it seems to be to access and exfiltrate data without alarms being raised. Containing hackers’ access and identifying suspicious behaviour once they are inside is key.”

The news comes after hackers accessed personal data of 160,000 TalkTalk customers following an attack on its website on 21 October last year. The firm was fined £400,000 for security failings. In 15,656 cases, bank account numbers and sort codes were accessed.