Customers’ anger at Three silence after cyber attack
Mobile network admits hackers gained access to hundreds of thousands of customers’ personal details
THREE Mobile customers criticised the UK network yesterday for failing to inform them that they had fallen victim to a data breach after The Daily Telegraph revealed cyber criminals had accessed the personal data of hundreds of thousands of users.
Customers fearing that their personal information had been compromised accused the company of negligence after finding out about the data breach from the media and initially receiving no official communication from Three.
The company admitted attackers had accessed a system containing the data and contact details of customers who were eligible for an upgrade, but failed to contact them in the immediate aftermath of the discovery. The hack appeared to be an attempt to illegally intercept replacement handsets rather than to exploit raw data.
Three initially responded to queries on social media, eventually posting a statement to its website and directing users to a customer service number.
But customers who do not use social media were left in the dark when Three offered little information on the hack. One said: “Why haven’t they got in touch to tell me about it? You have to go through the process of pretending to want to buy a new phone to speak to anyone.” Three last night said it had started contacting all those affected, 133,827 in total.
Three first contacted the National Crime Agency about the intrusion on Sunday. The NCA arrested three people in association with the incident on Wednesday – two on suspicion of computer misuse offences and one on suspicion of attempting to pervert the course of justice.
Customers of the mobile phone net- work said they should have been alerted as soon as Three discovered the breach. One customer complained to the company on Twitter that it didn’t do enough to inform them that their sensitive information could be in the hands of criminals.
“I read the news article last night. Why is there no statement on your website? Twitter’s not the way to do this,” the user said. “You’re only talking to me because I found out on Twitter and asked you. What about elderly people without social media accounts?” Three said: “We use social media as an initial point of contact because it allows us to contact a large base of our customers quickly.”
The information accessed includes the name, phone number, phone type, date of birth, address, marital status, previous address, gender, employment status and email addresses, Three confirmed. No data has appeared for sale online, according to experts who study criminal marketplaces on the web.
While it didn’t contain any financial details, criminals could use the information available to find out bank or credit card details by sending scam messages, called phishing, or by phoning and pretending to be a legitimate business such as a bank or phone company.
David Dyson, the chief executive, last night apologised for causing “concern and inconvenience”.
“We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.” Three said it has increased the security for the affected accounts.
‘Why is there no statement on your website? Twitter is not the way to do this. What about elderly people?’