Data breach at Three, millions of customer details potentially exposed

Criminals said to have stolen handsets from stores and accessed upgrade database.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Data breach at Three, millions of customer details potentially exposed

The Telegraph writes that customers of the UK’s Three mobile network may have had personal details exposed (names, phone numbers, addresses and dates of birth) after the company’s upgrade database was breached:

Three has suffered a massive data breach in which the personal information and contact details of millions of customers could have been accessed. It is believed to one of the largest hacks of its kind to affect people living in Britain.

The National Crime Agency (NCA) is said to have made a number of arrests in connection with the breach.

Sign up to our free newsletter.
Security news, advice, and tips.

Here’s a statement from Three itself, which pours some cold water on the idea that this was technically a “hack” and instead suggests that the criminals may have used an employee’s legitimate username and password to access the sensitive database:

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.”

“We’ve been working closely with the police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.”

“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.”

Apparently financial information, including bank and credit card details, was not included in the database – but it sounds as if the criminals may have had enough information about Three customers to potentially extract banking details via scam phone calls and the like (a technique we have often seen used against TalkTalk customers in the past).

As a result, I would recommend that Three customers exercise great caution if they are contacted by someone claiming to be from Three.

Remember when you get calls like this, you shouldn’t have to share personal information to prove who you are – they should have to prove who they are. If in any doubt, go to the company’s official website (check the URL is the right one!) and call up their customer service department for guidance.

TalkTalk treated its scammed customers poorly after its headline-hitting data breach. Let’s hope that Three does a better job.

Further reading: More details emerge regarding the Three data breach


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.