Following on from our earlier story, Three have now admitted that yes, their systems were accessed and yes, customer information was obtained.
The whole event appears to have spooked quite a number of Three customers, as their site became overloaded last night due to the amount of people trying to get information. If you can get onto their website, David Dyson, the CEO of Three, states that ..
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done
Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
It seems that the fraudsters, who were possibly staff, accessed to upgrade system and pushed through upgrades without the real owner knowing. Mr Dyson (no, not the one who invented the dust-sucking device) goes on to tell us..
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
From what we’ve seen so far, this wasn’t a “hack” and there wasn’t a direct attempt to steal any customer details. It was – from what I can make out – a ham-fisted attempt at bagging a few handsets without paying.
All customers who had their data accessed are being contacted by Three to help answer any questions they make have. The network has also added “increased security” to all those accounts.
A full FAQ is also online, so do have a read if you’re concerned. There’s also a full statement, which reveals that a bit more information. It seems that some people had rather more sensitive information taken, with employment status, marital status, address, previous addresses and data of birth taken. All useful information if you use this elsewhere. Here’s a look at the severity of the data amongst those 133,827 accounts…
– 107,102 customers may have had details about contract type taken (handset or SIM only) plus contract start and end date, handset type, Three account number, how long they’ve been with Three, whether the bill is paid by cash or card, plus the billing date and name.
– 26,725 customers may have had their name, address, date of birth, gender, handset type, contract start and end date, contract type (handset or SIM only), telephone number, email address, previous address, marital status, employment status, Three account number and phone number and how long they’ve been with Three.