(Image Credit: Three UK)
A data breach at Three UK has put roughly six million customers at risk after attackers accessed the operator’s database using authorized credentials.
Although financial details were not exposed in the incident, personal information such as names, phone numbers, addresses and dates of birth were accessed. Those records could be sold or used to facilitate scams and identity fraud.
“For years the industry has warned that the insider threat is one of the greatest risks to organisations. This is a case in point. While it’s conceivable that credentials were obtained by social engineering, the rapid arrests suggest an investigable chain of events and the likelihood that the compromise resulted from insider intent,” said Chris Hodson, EMEA CISO at Zscaler.
Authorities have already made multiple arrests linked to the breach. That quick progress indicates the breach may not have been a highly coordinated external attack and that investigators were able to trace the perpetrators’ actions promptly.
The National Crime Agency confirmed arrests on Wednesday 16 November 2016: a 48-year-old man from Orpington, Kent and a 39-year-old man from Ashton-under-Lyne, Manchester were detained on suspicion of computer misuse offences, and a 35-year-old man from Moston, Manchester was arrested on suspicion of attempting to pervert the course of justice.
Three UK has faced criticism for how it handled communications following the breach and for not providing clear information to affected customers. At the time of reporting, the company had not posted an alert on its website or directly messaged those impacted.
Three’s only public comment appeared on its Facebook page and stated: “We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk. We are investigating how many customers are affected and will be contacting them as soon as possible. We’ll update with further information once we have this.”
The UK ISP TalkTalk suffered a high-profile data breach the previous year that resulted in a £400,000 fine. Regulators emphasize that companies must be transparent about breaches affecting public information. In TalkTalk’s case, the Information Commissioner concluded the company had failed to implement basic cyber-security measures, noting that poor security allowed attackers to penetrate its systems easily.
Unlike TalkTalk’s incident, which involved exploited vulnerabilities, Three’s breach appears to have resulted from misuse of legitimate logins rather than a direct technical vulnerability. That distinction may reduce the likelihood of a similar regulatory penalty, provided no further evidence of negligence emerges and the operator promptly informs affected customers and strengthens protections around privileged access.
“When a hack takes place, consumers expect to be told by the company rather than learning about it from the morning news. It is vital that organisations maintain a data-loss response plan and crisis communications strategy that can be enacted within hours so customers are notified immediately and the company can retain credibility,” said Nigel Hawthorn, chief European spokesperson at Skyhigh Networks.
Even if the breach was difficult to prevent, it is likely to have business consequences for Three. TalkTalk reported a more than 50 percent decline in pre-tax profit in the year after its cyber attack. As one of the UK’s smaller mobile operators, Three could face reputational damage and financial impact at a sensitive time, coming after its bid to merge with O2 was rejected earlier in the year.
What are your thoughts on Three’s customer data breach? Let us know in the comments.