British cellular carrier, Three Mobile, have admitted that two thirds of its customer base information was successfully accessed through the company’s customer upgrade database using an employee login. Three explained that the data accessed included names, telephone numbers, addresses and dates of birth but also highlighted that it did not contain financial information. Three’s investigation shows that the hackers used the stolen information in order to upgrade customer contracts and to intercept the handsets, presumably to sell these on at a profit. It appears that the data loss happened some weeks ago as a Three spokesperson explained that over the last four weeks the company has had four hundred high value handsets stolen through burglaries of retail stores, which it is connecting to the data loss. Furthermore, eight high value devices have been stolen through a false upgrade. The company has “taken a number of steps to further strengthen [their] control.” The hackers had access to the upgrade database, which is believed to contain information on up to six million customers but Three have not confirmed how many people could be impacted – and also explained that it had not yet informed customers of the data loss. We understand Three will inform the eight customers who have had their account upgraded but the smartphone stolen.
However, Three have involved the British police and authorities and the (British) National Crime Agency is already investigating the data breach. Last night, November 16th, three people were arrested in connection with the hack. A 48 year old man from Orpington in Kent and a 39 year old man from Ashton-under-Lyne, Manchester, were arrested on suspicion of computer misuse offences. A third man from Moston, Manchester was arrested on on suspicion of attempting to pervert the course of justice. The latest information is that all three individuals have been released on police bail as investigations continue and that no further information will be released.
Concerned Three Mobile customers can contact their customer services by dialing 333 from their Three smartphone or 0333 338 1001 from another network or ‘phone. All Three customers are advised to be extra vigilant against phishing attacks as should this information be sold online, it would mean that this information could be available to other, malicious, callers claiming to be banks or financial organisations. As for Three, it is unclear what the ramifications for the business will be apart from recovering the missing 400+ handsets. The British Information Commissioner’s Office could potentially fine the company up to £500,000 (around $625,000) following the breach, but we do need to let the authorities complete their investigation.