Three UK is the latest company to suffer what looks to be a major data breach — potentially exposing the personal information of millions of customers.
As many as two-thirds of Three’s customers are thought to have had their information compromised after hackers obtained an employee login.
The UK mobile network operator has some 8.8 million active customers, and 4,400 employees.
The Telegraph reports that hackers successfully gained access to Three’s customer upgrade database using an employee login. They then used the login to trigger bogus upgrades for premium smartphones — with the aim of intercepting devices before they reached customers.
Three customer data accessed is said to include names, phone numbers, addresses and dates of birth but no financial information.
In a statement give to the newspaper Three said it has seen an increased level of attempted handset fraud over the past month — confirming that 400 high value handsets have been stolen via burglaries at its retail stores over this period, with a further eight devices “illegally obtained through the upgrade activity”.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information,” it added.
We’ve reached out to Three with additional questions and will update this story with any response. A spokeswoman was unable to confirm whether the breach only affects pay monthly customers vs SIM-only customers at this point, saying they do not yet have “that level of detail”.
In an update about the breach posted to its Facebook page today, Three adds:
We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.
Three men have been arrested for the hack, according to the National Crime Agency.
A spokesperson for the UK’s data watchdog, the ICO, said: “We’re aware of this incident and are making enquiries. The law requires that organisations take appropriate measures to keep people’s personal data secure. As the regulator, it’s our job to act on behalf of consumers to see whether that’s happened.”
The breach follows a record fine by the ICO for UK ISP TalkTalk which suffered a major breach in 2015 when hackers stole around 157,000 customer accounts using an SQL injection technique on vulnerable webpages. In that instance the breach was blamed squarely on TalkTalk having poor website security, rather than on a compromised login.
But as security systems are bolstered against external hacking threats there is growing chatter about rising threats inside corporate networks — when a compromised employee login can offer hackers a far easier route to acquiring sensitive data vs trying to penetrate expensive security systems.
One mitigating measure is to deploy two-factor authentication for employee logins.
There are also a growing number of security startups pitching machine learning powered network monitoring systems which alert IT managers to suspicious behavior, such as by analyzing patterns of employee activity. One example there being UK-based Darktrace.
Featured Image: Getty Images