New Three Data Breach Exposes Mobile Customer Account Details To Total Strangers

Three has suffered a new data breach after an apparent technical glitch saw customers presented with the account details of other subscribers.

Those affected could apparently access the bills, call logs and phone numbers of other people using the My3 mobile application.

One customer was made aware of the incident after someone else who had access to his account phoned them.

Tales in tech history: Three’s entry into the UK mobile market

Three data breach

“Care to explain just how my details have been shared, how many people have had access to my personal information, for how long, and how many of your other customers have had their details leaked by yourselves to other members of the public as well?” Mark Thompson said on Three’s official Facebook page. “I find this a shocking breach of data privacy.”

He detailed his communications with Three customer support and said he had informed both the tech and fraud teams at the Hutchison-owned operator. Others on Facebook and Twitter said they were also affected, while other complained Three’s online services and applications were down – presumably while the glitch is investigated.

At the time of writing, Silicon was unable to access several services on the My3 app.

“We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3,” a spokesperson told The Guardian. “No financial details were viewable during this time and we are investigating the matter.”

The Information Commissioner’s Office (ICO) has confirmed it will look into the incident.

“We will be looking into this potential incident involving Three,” a spokesperson told Silicon. “Data protection law requires organisations to keep any personal information they hold secure. As the regulator, it’s our job to act on behalf of consumers to see whether that’s happened and take appropriate action if it has not.

“If people are concerned their details may have been used, there are measures they can take to guard against identity theft, for instance being vigilant around items on their credit card statements or checking your credit ratings.”

The incident further damages Three’s reputation for cybersecurity. In November, it was eported that criminals had gained acces to Three’s customer database, which includes names, addresses, dates and births of those eligible for smartphone upgrades.

It also evokes memories of an even worse breach at online PC game marketplace Steam on Christmas Day 2015 as on this occasion, even card details were leaked.

Quiz: What do you know about Internet security?