It was announced this morning that three men had been arrested for a data breach at Three Mobile.
The men were thought to have accessed a Customer Database at Three Mobile using ‘authorised logins’.
This was not an external attack. Once in the database the perpetrators identified customers who were eligible for handset upgrades, ordered eight ‘high value handsets’ and then intercepted them prior to delivery.
Dave Dyson, Three’s CEO said “I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.”
Dave Dyson’s full statement can be found here.
As well as the intercepted upgrades a further 400 ‘high value handsets’ have been stolen through burglaries – presumably targeted by the compromised Customer Data.
Given that the iPhone 7 starts at £600, then 400 of those represents a potential loss of a quarter of a million pounds. Less than the cost of recent Tesco Bank breach, but hardly loose change.
It’s not clear when the data was fraudulently accessed, or whether it was extracted and subsequently sold on. Customer data could be used for ‘credential stuffing’ and future identity theft – as we described here after the data breach that O2 reported this summer.
Three claims to have strengthened its data controls, but Three customers should exercise caution, and consider changing their Three password, and the password on any other sites where they might reuse the password.
Obviously it’s best practice to use a different ‘strong’ password for each individual online account, but sometimes people cheat and reuse passwords.
The question then comes as to how the criminals obtained the user’s credentials in the first place, we can provide training to your company’s staff to increase their awareness of the perils of social networking.
Get in touch, see how we can help.