The hackers used the data to order new phones for themselves to resell
The Telegraph reports that up to 6 million wireless customers of Three Mobile have had their personal information compromised by hackers. The data includes phone numbers, birth dates, full names, and people’s home addresses.
Mining the data, they used their access to order phone upgrades in eligible customers’ names and then take delivery of the devices themselves, probably to resell them at a profit. Manchester Evening News says that at least 400 devices were stolen from stores using falsified identifications, and at least 8 devices were intercepted going past the post. Three men have since been arrested for their alleged involvement.
“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system,” the company said in a statement to press. It is not clear if they obtained valid access by going after an employee with malware, or if there was some sort of inside connection that enabled their efforts. The company says it is investigating and has not provided any more details at this time.
Three Mobile accounts for about 10% of the wireless market share in the UK, but the customers who’ve been affected — at least two-thirds of the company’s entire subscriber base — have not yet been notified if they were among those breached.
Subscribers wanting more information are advised to call 333, the information hotline number for UK network customers. Some emails and pin numbers for the devices were also apparently compromised, so changing your login might be a good idea. Depending on what else the hackers do with the data, they could sell it to spammers or other parties.
Three may suffer financially for this, and not just due to angry customers. British regulators recently fined the ISP provider TalkTalk for failing to secure its customers’ data properly, as last year nearly 157,000 customers had their information compromised when an SQL injector breached an old consumer database. And it follows a recent breach at Tesco Bank that affected 40,000 accounts.
Fortunately, for now it seems no financial data was present in the Three database. That said, some emails and pin numbers for devices were, so changing your login might be a good idea. Depending on what else the hackers do with the data, they could sell it to spammers or other parties, and with the personal details on hand, financial fraud is doable. Phishing scams could very well proliferate using this data.