Three UK has been hit by an internal data breach that has left millions of customers’ personal data at risk and led to three arrests, the company has confirmed.
Hackers are believed to have used employee logins to access internal upgrade systems, giving them access to customer data including names, addresses and dates of birth. Three has more than nine million customers in the UK.
Three, owned by Hong Kong conglomerate CK Hutchison, said initial investigations in to the breach, which was discovered on Monday 14 November, found no evidence of hackers breaching customers’ sensitive financial data.
However, the operator said a number of high-value handsets had been stolen over the last four weeks, with some obtained illegally through the upgrade activity.
The National Crime Agency confirmed three arrests had been made in connection with the breach. A 48-year-old man from Orpington, Kent, and a 39-year-old male from Ashton-Under-Lyne, Manchester were arrested on suspicion of computer misuse offences, while a third man, from Moston, Manchester, has been arrested on suspicion of attempting to pervert the course of justice.
The Telegraph claims up to six million customers may be affected by the breach, although sources close to the operator said it did not recognise this number. Three refused to comment on the number of customers impacted, saying it is still investigating.
In a statement, Three stressed that the perpetrators used authorised logins to access the upgrade system, and that their external security had not been breached, as had occurred in recent high-profile hacks such as the TalkTalk cyber breach.
“Over the last four weeks Three has seen an increasing level of attempted handset fraud,” Three said. “This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.
“We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity.
“The investigation is ongoing and we have taken a number of steps to further strengthen our controls.”
It is the latest in a number of high profile data breaches to shake the industry. Last year, UK broadband provider TalkTalk admitted the data of 157,000 customers had been hacked. The breach led the firm to lose 95,000 subscribers and cost more than £60 million, including a £400,000 fine from regulator Ofcom.
Earlier this week, a 17 year old boy pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 at Norwich Crown Court.
Yahoo also recently reported what is believed to be one of the biggest data breaches of all time after revealing the information of more than 500 million subscribers had been hacked. The hack has cast doubt on Verizon’s proposed acquisition of Yahoo.
Certes Networks VP for EMEA Dan Panesar warned that this latest hack should encourage the industry to rethink the concept of “trusted credentials”.
“The Three breach bears the hallmark of every major data breach of the last decade – hackers have stolen credentials to gain unauthorized access to sensitive data. They can then bypass firewalls, intrusion detection and a host of other defences becoming a ‘trusted’ insider at which point traditional cybersecurity defences are rendered useless.
“The only way to halt such breaches is for the industry to rethink trust. The industry needs to adopt a “Zero Trust” model in which it is assumed that every user might be compromised, and that no user is implicitly trusted. Any user might be a hacker in disguise. Organisations must adopt a ‘need to know’ access strategy, meaning users can only access the data they need to do their job.”
The UK government recently announced plans to spend £1.9 billion to tackle cyber security. Andrew Bushby, UK director at Fidelis Cybersecurity, applauded Three for its handling of the hack.
“I applaud Three and the police for moving quickly in communicating the breach and identifying the perpetrators. Having seen the repercussions of the TalkTalk breach – which cost the company 101,000 customers and £60 million – Three will likely be doing everything in its power to limit the damage of its breach in terms of reputation and monetary.
“Indeed, the potential damage is considerable for Three in terms of how much it could impact the business. It serves as a reminder to companies to take appropriate measures, for example by ensuring that customer data is encrypted, as well as by using technology that gives them full visibility into both the network and endpoints, so that attackers can be detected and stopped in their tracks.”