Out-Law News 2 min. read

Three data breach affected more than 133,000 customer accounts, company confirms


Personal data belonging to more than 133,000 Three customers was compromised by fraudsters, the mobile network operator has confirmed.

Three last week reported that "authorised logins" had been used to access its systems holding details of customers eligible for an upgrade of their mobile handsets. Fraudsters used the information to "unlawfully intercept upgrade devices", the company said at the time.

Three has now confirmed that the fraudsters had "obtained" data from 133,827 customer accounts as part of the incident. The company also confirmed the fraudsters had "unlawfully upgraded" eight customers to a new device with the intention of intercepting those devices and selling them on.

Three chief executive David Dyson said "no bank details, passwords, pin numbers, payment information or credit/debit card information" are stored on the customer upgrades system that was compromised in the incident.

"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently," Dyson said. "We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have."

"As an additional precaution we have put in place increased security for all these customer accounts. We have been working closely with law enforcement agencies on this matter and three arrests have been made. I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise," Dyson said.

A spokesperson for the UK's data protection watchdog, the Information Commissioner's Office (ICO), told Out-Law.com last week that it was aware of the data breach at Three and was "making enquiries".

The ICO spokesperson said: "The law requires that organisations take appropriate measures to keep people’s personal data secure. As the regulator, it’s our job to act on behalf of consumers to see whether that’s happened."

Civil fraud and asset recovery specialist Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said that criminals do not necessarily need access to bank details to defraud people.

He said some businesses view IT costs as a "business expense" and that boardroom executives are sometimes of the view that budget is better spent on other things. However, the onus is on businesses to operate robust systems capable of repelling cyber attacks and to have response plans in place for handling cyber incidents if they do occur, because businesses risk major fines of up to 4% of their annual global turnover, or €20 million, whichever is greater, under the new General Data Protection Regulation (GDPR) when it comes into force in 2018, Sheeley warned.

Sheeley said: "Businesses need to focus on their IT systems and make sure they are up to date and robust. Failure to carry out the bare minimum could result in record fines in the near future which could destroy business."

"Businesses need to have in place crisis response plans to deal with hackers and the consequences. Such plan must include, instructing appropriate external experts, not just their IT department, who are unlikely to have the necessary skills on their own to secure evidence and identify the vulnerabilities and the weaknesses in the system. Indeed, where IT services are outsourced, it may not be in that supplier's interest to highlight their own weaknesses to the customer for fear of becoming vulnerable to claims in negligence, although the GDPR will place new obligations on data processors to disclose data breaches to the data controller," he said.

"A crisis response plan must include instructing civil fraud solicitors to recover any funds or data that has been lost. Civil fraud solicitors are well skilled in obtaining disclosure orders against SIP providers to trace the hackers and identify weaknesses in the IT system. Also, companies should not assume that a hacker has acted alone – sometimes employees are involved as well," Sheeley said. 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.