Three UK Mobile Data Breach – November 2019

Mobile telecommunications provider, Three UK, are once more at the centre of a data breach scandal. On the 29th October 2019, customers of the Three mobile network reported an issue with the Three website that gave casual browsers (many of whom had not used the Three website before) to gain access to personal data, including billing information and phone records. Customers voiced their worries publicly on Twitter, which alerted data security journalists at The Register who reported on the blunder.

While Three UK has approximately 10 million customers, it claims that “fewer than 10 customers have reported being able to view other customer’s account information.” Adding: “No sensitive financial information was viewable at any time, we are investigating the matter and we apologise for any inconvenience caused.”

Later, a Three spokesperson admitted: “So far we know that 8 devices have been stolen and these customers have been contacted. ”

Further elaborating on the three data breach,  the spokesperson added: “We are still investigating but we can confirm that no payment or card information has been accessed. We are contacting those customers who have been impacted by upgrade fraud.”

Three data breach 2017 hack

Unfortunately, this isn’t the first time Three has been hacked. In 2017 the multinational telecommunications company was subject to a mass data breach in which some customers were able to view the mobile account details of other Three users using My3.

One customer, Andy Fidler, commented: “I managed to successfully download a complete stranger’s phone bill. All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted.”. Fielder did however state that bank details were not available.

Speaking on Three’s 2017 data breach, Dave Dyson, Three’s former CEO, stated: “In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.”

In March 2020 Confense spotted another Three data breach. This data breach involved customers being invited to edit their billing information to avoid disruption as hackers lied to customers by stating that their bill payments could not be processed. Worryingly, the hackers were able to replicate Three’s HTML code, enabling them to disguise their attack behind a styling that was almost identical to Three’s.

Three UK are bound by Regulation 5a pf the Privacy and Electronic Communications Regulations to explain exactly how many people were affected and what they are doing to respond to the issue at hand.

After being informed of the November 2019 Three Data Breach, the ICO had this to say on the matter:

“We are aware of an incident concerning 3 Mobile and will be assessing the information provided.”

If you’ve been affected by this data breach or a similar one then we may be able to help you claim compensation – get in touch by starting a chat in the bottom right corner, calling us directly on 0151 242 9035 ,or sending us a message using the contact form below.