Three’s website exposes mobile phone customers’ details to strangers

Technical snafu rather than hack likely to be the cause.

Three's website exposes mobile phone customers' details to strangers

Three appears to have made a blunder, after customers logging into the British mobile phone company’s website found themselves looking at other customers’ accounts – including the names, addresses, call histories and data usage of complete strangers.

The Guardian describes how one customer, Andy Fidler, found the Three app on his mobile phone wasn’t working – and so he decided to log into Three’s website instead:

“I managed to successfully download a complete stranger’s phone bill. All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted.”

Sign up to our free newsletter.
Security news, advice, and tips.

Fortunately, bank details were not accessible.

He wasn’t the only one to stumble across the problem – which appears to be more of a technical screw-up than a malicious hack – as posts on Three’s official Facebook page reveal.

Three complaint

A Three spokesperson says that they are aware of the problem and are investigating.

But one has to wonder how many customers could have been put at risk of having their private data exposed, and for how long the problem has been present.

The Information Commissioner’s Office has confirmed it will be “looking into this potential incident involving Three”, and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed.

Last November, in what appears to be an unconnected incident, Three revealed that its upgrade database had been breached, exposing the names, phone numbers, addresses and dates of birth of over 130,000 customers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Three’s website exposes mobile phone customers’ details to strangers”

  1. Bob

    Unacceptable. I'd encourage anybody affected by this to report Three to the Information Commissioner's Office and then seek independent legal advice.

  2. Mark Jacobs

    That's SQL Server for you!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.