More details emerge regarding the Three data breach

No bank details or passwords exposed, but information on 133,827 accounts obtained.

Graham Cluley
Graham Cluley
@[email protected]

More details emerge regarding the Three data breach

Kudos to British mobile phone company Three, which has shared more details regarding its recent data breach:

On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.

I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.

Sign up to our free newsletter.
Security news, advice, and tips.

We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.

We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have.

As an additional precaution we have put in place increased security for all these customer accounts.

There’s some good news here. No passwords were exposed, and no financial information.

Furthermore, although customer contact information could be abused by scammers in an attempt to extract further details (such as banking information) it doesn’t appear that this was the motivation for the attack. Instead, by all accounts, the belief is that criminals were ordering new phone upgrades on behalf of individuals, and then physically intercepting the devices’ delivery in order to sell them on to others.

Three says it is working closely with law enforcement agencies, and appears to be keen to communicate with affected customers. Good for them!

More information can be found in Three’s FAQ.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “More details emerge regarding the Three data breach”

  1. Bob

    Two of their FAQs – total whitewash response, not at all reassuring:

    "You have broken my trust, how will you compensate me for it?"

    "We have already confirmed that no financial information has been accessed. At this stage only 8 devices have obtained through this investigation."

    "I don't trust Three to keep my data secure, I want to cancel right now."

    We have put in place enhanced controls to protect your mobile account and would assure you that Three takes the security of your data very seriously.

    1. Bob · in reply to Bob

      I strongly recommend anybody affected to complain to the ICO, complain to Three, take it to Ombudsman Services (this costs Three dearly) and then if still unsatisfied SUE Three in the County Court.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.