Ruslan Grumble - Fotolia
Police have arrested three men in connection with a data breach and mobile upgrade scam at mobile network operator Three.
According to the mobile operator, its upgrade system containing customers details, including eligibility for mobile phone upgrades, was accessed for criminal purposes using legitimate login credentials.
Although the database reportedly contained customer names, addresses, phone numbers and dates of birth, Three said the database did not contain any payment card or bank details.
However, the exposed personal details could be used for identity fraud or to trick customers into revealing their bank details by posing as bank representatives.
It is not yet known how many of mobile operator’s 8.8 million customers were affected by the breach.
However, Three has advised concerned customers to call 333 on a Three mobile phone or 0333 338 1001 from another phone, according to the Telegraph.
The case is reminiscent of the data breach at UK-based accounting software firm Sage in August 2016, when an internal login was used to gain unauthorised access to employee data at nearly 300 UK firms.
In that case, police arrested a woman who was employed by the software company, but Three would not tell Computer Weekly whether any of those arrested were current or former employees of the organisation, saying the matter was “still under investigation”.
The National Crime Agency (NCA) said it had arrested a 48-year-old man from Orpington, Kent, and a 39-year-old man from Ashton-under-Lyne, Greater Manchester, on suspicion of computer misuse offences.
A 35-year-old from Moston, Greater Manchester, was arrested on suspicion of attempting to pervert the course of justice, and all three have been released on bail pending further enquiries, the NCA said.
Read more about the insider threat
- Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
The compromised database was reportedly used to find customers eligible for mobile phone upgrades so that new phones could be ordered, deliveries intercepted and the devices sold for profit.
Three has been quoted as saying it has seen an increase in phone thefts and upgrade scams recently, including at least eight cases of handset upgrades being ordered and then stolen while in transit.
The mobile operator said thefts at retail stores had also been rising, with about 400 high-value handsets believed to have been stolen.
The company said it had strengthened its data controls and was contacting the eight handset fraud victims.
News of the data breach at Three comes just six weeks after the Information Commissioner’s Office issued a £400,000 monetary penalty against mobile operator TalkTalk for a data breach in October 2015.
Information commissioner Elizabeth Denham said TalkTalk had failed to apply “the most basic cyber security measures”, leaving its database of nearly 157,000 customers vulnerable to an SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
“For years, the industry has said the ‘insider threat’ is the biggest risk to organisations,” said Chris Hodson, European CISO at security firm Zscaler. “This is a case in point. While it is conceivable that user credentials were obtained through social engineering, swift arrests suggest a chain of associated events can likely be traced and compromise comes from insider intent.
“Three might say it is OK that payment details weren’t accessed, but frankly who cares? It doesn’t mean that other confidential data can’t be used to build a false customer profile or commit subsequent fraud at scale.”
Hodson said the breach should serve as a reminder that strong authentication mechanisms and detection controls are essential.
“Of course prevention is ideal, but it’s not always possible,” he said. “We must find ways to reduce the time from initial breach through to identification.”
Compromised credentials possibility
Ryan O’Leary, vice-president, Threat Research Centre at WhiteHat Security, also believes there is a strong possibility that an employee has had his or her credentials compromised.
“This could have been caused by a direct attack, where the attacker attempted to steal the credentials of a specific user, or by using compromised credentials from an entirely different data breach,” he said.
Thomas Fischer, threat researcher and security advocate at Digital Guardian, said insider threats are almost always preventable if the right people management processes and tools are in place, even if an external party has compromised a legitimate user’s account.
“There are numerous technologies out there designed to combat insider threats and small investments can go a long way,” he said. “Deploying data-aware cyber security solutions removes the risk of a hacker with legitimate access to the data because they are prevented from copying, moving or deleting it without approval.”
Duty of care
Paul Lyden, vice-president Northern Europe at Barracuda Networks, said: “All businesses have a duty of care to ensure they have robust security systems in place to protect their own and their customers’ data.
“The latest hack against Three highlights that not enough is being done to get the correct security procedures and systems in place.”
According to Lyden, the world is entering a “golden age for digital crime” because businesses have injected change at accelerating speed into all elements of IT.
“As a result, many organisations are fighting an increasingly challenging battle to keep their security stable,” he said. “It has now become easy for attackers to find an unprotected door.”