Three’s website exposes mobile phone customers’ details to strangers

Technical snafu rather than hack likely to be the cause.

Graham Cluley
@gcluley

Three appears to have made a blunder, after customers logging into the British mobile phone company’s website found themselves looking at other customers’ accounts – including the names, addresses, call histories and data usage of complete strangers.

The Guardian describes how one customer, Andy Fidler, found the Three app on his mobile phone wasn’t working – and so he decided to log into Three’s website instead:

“I managed to successfully download a complete stranger’s phone bill. All I did was click on the link to bring up my bill. It included the name, address, how much they were paying, the phone numbers they had rung and texted.”

Sign up to our newsletter
Security news, advice, and tips.

Fortunately, bank details were not accessible.

He wasn’t the only one to stumble across the problem – which appears to be more of a technical screw-up than a malicious hack – as posts on Three’s official Facebook page reveal.

A Three spokesperson says that they are aware of the problem and are investigating.

But one has to wonder how many customers could have been put at risk of having their private data exposed, and for how long the problem has been present.

The Information Commissioner’s Office has confirmed it will be “looking into this potential incident involving Three”, and if they find the company has been sloppy with its securing customer details it is unlikely to be impressed.

Last November, in what appears to be an unconnected incident, Three revealed that its upgrade database had been breached, exposing the names, phone numbers, addresses and dates of birth of over 130,000 customers.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “Three’s website exposes mobile phone customers’ details to strangers”

  1. Unacceptable. I'd encourage anybody affected by this to report Three to the Information Commissioner's Office and then seek independent legal advice.

    https://ico.org.uk/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.