Maksim Kabakou - Fotolia

Three fails to stop second data leak

Mobile operator Three should have done a thorough review and upgrade of security after its previous security breach to avoid another incident just months later, say security commentators

Mobile network operator Three has been hit by another data breach, just four months after a database containing thousands of customers’ details was accessed for criminal purposes.

In November 2016, police arrested three men in connection with a data breach and mobile upgrade scam that affected nearly 134,000 customers. The scammers reportedly used legitimate credentials to access a company database to find customers eligible for mobile phone upgrades so that new phones could be ordered, deliveries intercepted and the devices sold for profit.

Just days before news of the latest data leak emerged, Three contacted a further 76,373 customers to warn them that the scammers may have accessed their details too, but said no fraudulent action is suspected. 

The latest data leak was discovered by customers who were presented with the names, addresses, phone numbers and call histories of other customers when they logged into their accounts.

Three, which is owned by telecoms firm Hutchinson and has 9 million UK customers, said it is investigating a technical issue with its systems and urged those affected to contact the company’s customer service department.

Affected customers are demanding to know why other customers have been given access to their details and for information about who has had access.

“We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3,” the company said in a statement. “No financial details were viewable during this time and we are investigating the matter,” the company said.

The Information Commissioner’s Office (ICO) said it “will be looking into this potential incident involving Three” reports the Guardian.

A spokeswoman for the privacy watchdog said: “Data protection law requires organisations to keep any personal information they hold secure. It’s our job to act on behalf of consumers to see whether that’s happened and take appropriate action if it has not.”

In October 2016, the ICO issued a £400,000 monetary penalty against mobile operator TalkTalk for a data breach a year earlier.

Information commissioner Elizabeth Denham said TalkTalk had failed to apply “the most basic cyber security measures”, leaving its database of nearly 157,000 customers vulnerable to an SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.

Leaked data ‘tip of the iceberg’, says expert

David Navin, corporate specialist security software firm Smoothwall, said Three will have some tough questions to answer, such as why their customer data was not watertight and 100% secure after the previous security incident.

“The leak, which seems to allow Three customers to inadvertently view other customers’ data, might be the tip of the iceberg for many on the network,” he said.

According to Navin, the company should review its internal security systems promptly to ensure they have a layered security defence spanning encryption, firewalls, web filtering and ongoing threat monitoring, as well as a proactive stance against threat actors.

“With more than nine million customers in the UK and a seemingly penetrable security bubble, hackers will be rubbing their hands at the prospect unless drastic changes are made,” he said.

Safeguarding basic privacy

John Madelin, CEO at cyber security services firm RelianceACSN, said with growing complexity of IT systems and digitisation of businesses, it is easy to lose sight of the simple fact that security is about managing confidentiality, integrity and availability.

“In other words, simply safeguarding critical data, and not just IT hardening. While at the moment this doesn’t look like a true security breach, it’s clear that Three is struggling to manage basic customer privacy,” he said.

“It’s extremely concerning that strangers have been able to see each other’s account detail. Even information such as names, addresses, phone numbers and call histories can be used for criminal activities if in the wrong hands.”

Three said after the upgrade scam was discovered in November 2016, the company added “additional layers of security on the upgrade system and, as a precaution, additional security on all customer accounts”. 

Three breach shows lack of GDPR preparation

Chris Hodson, European CISO at cloud-based security services firm Zscaler, said with just 14 months to go before companies handling EU citizens’ data have to comply with the General Data Protection Regulation (GDPR), the latest data lead at Three is a reminder of how far behind some firms are in their preparations.

"No company will want a breach to come as a surprise as we move into a legislatory minefield with excruciating consequences for non-compliance. Identification needs to be a priority moving forwards, so that dwell time can be reduced and unnecessary harm mitigated.

"Moving on from that, prevention can be achieved using platforms that meet GDPR requirements and are architected with ‘security and privacy by design'," he said. 

Read more about the insider threat

  • Most organisations in Europe rely on outdated security technologies, exposing them to breaches by malicious or hapless insiders, a report reveals.
  • Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
  • This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.

Read more on Privacy and data protection