UPDATE: Scale of Three customer data breach massively downsized, but identity theft remains a risk
Late yesterday, Three admitted to a breach of its customer databases which potentially put 6 million people at risk. Today the company has spoken out, indicating that far fewer customers were affected than first thought.
In fact, data from just over 130,000 accounts was accessed, with varying levels of access meaning different customer information was exposed. Three says the primary goal of the database breach was to intercept handsets rather than for other purposes, and it stresses that no financial information was stolen.
Three says that for 107,102 customers, the following information may have been accessed: whether they are a handset or SIM only customer; contract start and end date; handset type; Three account number; how long they've been with Three; whether the bill is paid by cash or card; billing date; name.
For an additional 26,725 customers the following data may be involved: name; address; date of birth; gender; handset type; contract start and end date; whether they are a handset or SIM only customer; telephone number; email address; previous address; marital status; employment status; Three account number and phone number; how long they’ve been with Three.
Company CEO Dave Dyson issued a statement:
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.
Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts.
We have been working closely with law enforcement agencies on this matter and three arrests have been made.
I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.
Image credit: mubus7 / Shutterstock.com