Cyber attack on phone giant puts 6m at risk
ONE of Britain’s biggest mobile phone companies has admitted to a major cyber-security breach which could put the personal data of millions of customers at risk.
Three UK admitted that hackers had successfully accessed its customer upgrade database after using an employee login.
Sources familiar with the incident told The Daily Telegraph that the private information of two thirds of the company’s nine million customers could be at risk. The company confirmed the breach last night but declined to say whether customers’ data was stolen or how many had been affected.
Three said that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information.
It comes after Talk Talk, the phone and broadband company, admitted in October that the private details of 157,000 customers had been hacked. The company only discovered the scale of the problem after it received complaints from customers that scam callers were attempting to gain access to their bank accounts.
Earlier this month, Philip Hammond, the Chancellor, said that companies had a duty to protect their customers against cyber crime following a series
of high-profile breaches. He told an audience in London: “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”
Three said that the hackers had been accessing customer accounts and upgrading them, then intercepting new phones that were sent out, possibly in order to sell them on. Customers whose data was hacked have not yet been informed.
The National Crime Agency is investigating the breach and said that three people had been arrested, two for computer misuse and one for perverting the course of justice.
A spokesman for Three said: “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls. In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system. This upgrade system does not include any customer payment, card information or bank account information.”
Three has over nine million customers and it is understood that hackers, who used company access codes to get into the system, had access to large parts of the upgrade database.
The theft will prompt concerns that personal information of millions of customers could be traded online.
A spokesman for the National Crime Agency said: “On Wednesday 16 Nov, officers from the National Crime Agency arrested a 48-year old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences, and a 35-year old man from Moston, Manchester, on suspicion of attempting to pervert the course of justice. All three have since been released on bail pending further enquiries. As investigations are ongoing no further information will be provided.”
Three, a subsidiary of Hutchison Whampoa, was founded in 2003 and employs more than 4,000 people in the UK. Its network carries over 37 per cent of the UK’s mobile phone data. claim it by clicking on the link below”. This would take people to a fake website run by cyber criminals that asked for bank details.
Three customers should be vigilant when receiving unsolicited emails, text messages and post. If you’re uncertain about the source of a message, don’t click on any links. If you suspect a message, find the company’s official email address or phone number and contact them directly.
Q What do I do now?
A If you’re a Three customer and are worried that your information may have been accessed, you are advised to contact Three and your bank. You should also change the passwords for your online accounts immediately.