Three upgrades hack: Are you at risk?

Report claims two-thirds of customer data was available to hackers

Three
(Image credit: Three)

Yet another cyber-attack has hit the headlines, this time relating to the mobile network Three. So what exactly happened and, if you are a Three customer, are you at risk?

How was Three hacked?

It's not absolutely clear that the network was "hacked", as such. A company spokesman has confirmed that "the perpetrators used authorised logins" to Three's customer databases.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

This means, says the Daily Telegraph, that "an employee login" was used. It is not known whether, and if so how, these access details were stolen.

Did criminals get access to customer data?

Yes – the Telegraph reckons the "private information of two-thirds of the company's nine million customers could be at risk".

Three insists, though, that no financial information is stored in the databases that were accessed, which track when subscribers are due handset upgrades.

The personal data at risk includes "names, phone numbers, addresses and dates of birth".

So what was the point of it?

It was a handset scam. Sky News says "hackers used the information to arrange for eight customer upgrades before intercepting them".

Affected customers are unlikely to lose their right to upgrade, so this amounts to stealing handsets from the mobile network.

Three said the attack was consistent with "increasing levels of attempted handset fraud" in the past month or so, including more "burglaries of retail stores".

I'm a Three customer, am I at risk?

Based on what we know so far, not directly – but watch out for so-called "phishing" scams.

This refers to the practice of fraudsters calling customers and using personal information to convince the victims the call relates to their account in order to trick them into giving up financial information.

Three only "discovered the scale of the problem" on this occasion after customers complained that "scam callers were attempting to gain access to their bank accounts", says the Telegraph.

Stolen personal information also gives rise to risks of identity theft.

Is there a criminal investigation?

Yes – and it has already resulted in arrests.

The National Crime Agency arrested a 48-year-old from Orpington, Kent, and a 39-year old from Ashton-under-Lyne, Manchester, on suspicion of computer misuse offences.

A 35-year old from Moston, Manchester, has also been arrested on suspicion of attempting to pervert the course of justice.

How unique is this?

Not unique at all. TalkTalk was recently fined £400,000 after its own data breach last year, which led to a 17 year-old boy pleading guilty to seven counts of breaching the Computer Misuse Act 1990 at Norwich Crown Court earlier this week.

Vodafone has also been subject to a cyber-attack. A Tesco Bank hack this month led to £2.5m being stolen from customer accounts.