Criminals Access Three's Upgrade Systems, Compromise Over 130,000 Accounts

A Three store in Banbury, England

The UK ISP, Three, announced that criminals used employee logins to access its phone upgrade system. They used this access to steal phones that were supposed to be sent as upgrades to customers, and personal information from more than 133,000 thousand accounts was compromised in the process.

Three Unauthorized Access

According to an official statement by Three's CEO, David Dyson, 133,827 customer accounts were compromised. He also revealed that the following information about those accounts may have been leaked:

"Our investigation of the upgrade system shows that for 107,102 customers, the following information could have been obtained:Whether they are a handset or SIM only customer, contract start and end date, handset type, Three account number, how long they’ve been with Three, whether the bill is paid by cash or card, billing date and name.For a further 26,725 customers the following information could have been obtained:Name, address, date of birth, gender, handset type, contract start and end date, whether they are a handset or SIM only customer, telephone number, email address, previous address, marital status, employment status, Three account number and phone number and how long they’ve been with Three. "

Dyson noted that no bank details, passwords, pin numbers, payment information, or credit-slash-debit card information are stored on the upgrade system in question, so the criminals never had access to it. Three's CEO also believes that their main intention may not have been to simply steal information, but to use that information to fraudulently acquire high-end smartphones.

The company has noticed a wave of thefts in the past month that it thinks may be connected to the unauthorized access. So far, 400 high-end smartphones have been stolen in multiple burglaries. Three has also noticed that eight devices have been illegally obtained through the upgrade activity.

The company has been collaborating with the police, and it looks like three suspects have already been arrested. Dyson added that all of the affected customers will be contacted and that security will be increased for their accounts.

EU Companies To Become More Liable For Data Breaches

Last year, another one of the UK’s ISPs, TalkTalk, was given a record fine of £400,000 because it allowed simple vulnerabilities in its webpages to exist, which were then used by malicious hackers to steal the information of 157,000 accounts.

Although it was a record fine for ISP data breaches, ISPs and other companies could end up paying much more--up to four percent of revenue--if they allow simple data data breaches to happen once the European Union’s General Data Protection regulation goes into effect in 2018. By then, the UK may already be out of the EU as a result of the recently-passed referendum to exit the union. UK companies will still have to follow these new rules, however, if they continue to operate in the EU after the "Brexit" is complete.

Insider Threat

Companies might also start to realize that their employees may become bigger targets as they increase the security of their systems. Instead of attacking the systems directly, criminals could try to gain access through the employees’ security credentials. The more access is given to those credentials, the more targeted they will be. Sometimes, the employees themselves may go rogue and steal information for their own purposes, too.

Google seems to have had the right idea with its BeyondCorp security infrastructure. BeyondCorp aims to limit employees as much as possible to only the services and tools that they are supposed to access. Google will also treat its internal network as the internet, which means devices won’t easily be trusted and all traffic will be encrypted.

Data breaches often occur because gaining access to sensitive information is easy once attackers have gotten past a company's firewalls. Companies will have to rethink, just as Google did, how much trust they put into their employees and internal devices to improve their response to future attacks.

In a statement to Tom's Hardware, Greg Hanson, the vice president of the Informatica data management consulting firm, seems to agree that companies must further restrict access to sensitive data and protect it wherever it may be located:

“The Three data breach highlights the urgency with which companies must address the state of their data security. All data must be protected, wherever it is stored and whatever form it takes. In this case the attackers gained access with a valid login - a clear indication that companies must expand their definition of sensitive data if they are to safeguard this kind of key information. “Companies must move away from a damage-control mindset to a deep understanding of their sensitive information, so that they can implement data-centric security and protect it wherever it moves in the organisation. Unless companies understand exactly where their valuable assets originate, proliferate and reside, it is extremely likely that they will lose control of that data. And as the Three breach proves, companies must even prepare for an attack from the inside.”

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • shrapnel_indie
    In the United States, HIPAA regulations dictate for the health-care community limited access. That is access to only what employees need to carry out their tasks and no more. An employee isn't even allowed to view their own health records without going through the proper channels by HIPAA regulations.