Fraudsters accessed Three UK customer database with authorised credentials

Three UK, a telecom and ISP operating in the United Kingdom, has suffered a data breach. According to Three’s status report on the investigation, the attackers were able to access the company’s customer upgrade system by using login credentials of an employee, and their goal was to steal high-end smartphones.

three data breach

“Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices,” the company explained.

“We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and 8 devices have been illegally obtained through the upgrade activity.”

There is no mention of how many customers were affected, how long the perpetrators had access to the data (customer names, addresses, phone numbers, and dates of birth), nor whether they have exfiltrated any of it.

The company reassured users that customers’ payment card or bank account information was not accessed nor compromised, and that they will be contacting affected customers as soon as possible.

According to The Telegraph, the National Crime Agency is investigating the breach and they have already arrested three people in connection to it. Two men are suspected of computer misuse offences, while the third one of attempting to pervert the course of justice.

“It appears the vulnerability came from a legitimate employee log-in, which provided the gang with easy access to critical information. On top of this, it bought them valuable time before anyone at Three noticed the unusual behaviour. These are both factors why an insider threat can prove far more dangerous than brute-forcing your way into a network. Any log-in or access details need to be strictly monitored by companies to prevent these kinds of attacks happening,” Jason Allaway, VP of UK & Ireland at RES, commented for Help Net Security.

“I believe this points to an issue with the on- and off-boarding processes at Three. Such issues should be addressed by refining and automating such processes to ensure they are protected against risk. New joiners should be granted the correct access, and leavers should be stripped of access entirely. If companies secure the lifecycle, new joiners and those exiting the company will not expose an access point leaving open the door to an opportunistic cybercriminal.”

Hopefully, the attackers didn’t exfiltrate customers’ information and didn’t sell it on to other fraudsters. But, just in case, customers should be alert to phishing emails and calls from fraudsters claiming to be Three or other ‘associated’ companies.

“The compromised data included dates of birth, information which is often used as a security question. Such information is actually easily obtainable, so all consumers, not just Three’s customers, shouldn’t presume callers are legitimate for knowing it,” says Nigel Hawthorn, chief European spokesperson at Skyhigh Networks.

John Madelin, CEO at cybersecurity experts RelianceACSN, says that the most worrying thing about the Three breach is that it has been discovered by third parties.

“In this case they were only alerted to it once customers themselves started to complain about scam callers. The reality is we don’t know how long the hackers were in Three’s network, but the average time to discover an intrusion is 205 days. Three should have spotted this sooner, and it’s a case of understanding the threat vectors as this appears to be an insider threat. In the wake of the TalkTalk hack Three really should have done better,” he added.

Don't miss