There are only a few choices in the UK when it comes to mobile phone providers. One of those companies is ThreeUK. This therefore means that out of the UK population, the number of people using this provider is significant.
This puts a significant amount of users’ data in the hands of ThreeUK to look after. Also, you have to remember that the data that a mobile phone provider holds is quite a lot – name, address, phone number, payment details, calls, websites visited, SMS message data … to start that list off!
And indeed, they have been attacked and that number of victims looks like 6 million! The criminals used an employee login to gain entry where they arranged for phones to be sent out to customers but then intercepted them before arrival.
Is there some good news? Yes …. no financial was not accessed …. and that’s the good news.
However, I think the important thing here is that it was an employee’s credentials that were used. In information security we talk about insider threat a lot … and I think this just emphasises the point.
The NCA (National Crime Agency) have arrested three people – 2 from Manchester and 1 from Kent including one of them for attempting to pervert the course of justice. So well done to the NCA for getting that done so quickly.
Earlier today I tweeted the news and had an unusual response from ThreeUK that I wasn’t expecting…
Hi SP, we’re aware of an attempted fraud issue regarding upgrade devices & are working with police & relevant authorities on the matter. The objective was to steal high-end smartphones from Three but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers their financial details are not at risk. We’ll update with further info once we have this. >CC
Looking into their Facebook post it is interesting that some people are seeing charges that they did not authorise on their accounts.
Susan Hunt I just checked my account and I have a charge for a ‘Euro Internet Pass’ – no idea what this is and I have no use for it as 1) I have not been/not going to Europe this year and 2) I have Feel at Home on my contract anyway. Is this to do with the fraud or something else?? Bill is £10.11 so not a massive amount but still unexplained.
Three UK Hi Susan, no this won’t be related. It’s possible it’s been a billing error but we can certainly get our billing team to check. Can you please come speak to us on webchat and we’ll get this investigated. Thanks >Kimberley
As users pumped ThreeUK to find out the date of the activity, there is this glimmer in there
Three UK Hi Janet, Within the last week we discovered suspicious activity and started our investigations and formally notified the Police. Our investigation is still underway and we are working with the Police very closely. If you have any further questions, please get back in touch. Thanks >Gillian
The ICO (Information Commissioners Office) has tweeted:
We’re aware of this incident and are making enquiries. The law requires that organisations take appropriate measures to keep people’s personal data secure. As the regulator, it’s our job to act on behalf of consumers to see whether that’s happened.”
However, the key part that I wanted to bring up in this blog is … no-one is looking for why did ThreeUK let this happen, it’s like the consumers were expecting it to happen. What they want to know is:
- when it happened,
- are they involved
- what is happening
- what happens next,
and I think this is the lesson for us all.
If you are in an infosec job, the C-Suite, the managers are probably expecting a criminal to have compromised the company, they want to know when, who and what.
Good luck to the teams involved, the IT Security team working out what went on, the forensics teams trying to work out what went on and the law enforcement who is putting all the evidence together to create a case.
Leave a Reply