Three Mobile, one of the largest U.K. mobile providers, has apologized after scammers gained access to its systems, ordering new phones for a handful of the company's customers with the intent of intercepting the deliveries and committing fraud.
See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short
The fraudsters accessed a database that's used for upgrading consumers to new devices. All told, 133,827 accounts were at risk, but only eight customers had been upgraded without their knowledge.
"I understand that our customers will be concerned about this issue, and I would like to apologize for this and any inconvenience this has caused," writes Three Mobile CEO David Dyson in a Nov. 18 statement posted on the company's website.
The breach also exposed some customer information, Dyson writes. No bank account details, passwords, PINs or payment card information were stored on the upgrade system. Three Mobile has since put in place additional security measures.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently," Dyson writes. 'We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have."
Slow To Notify
Three Mobile didn't provide an explanation for how attackers managed to gain access to so many accounts.
In a Q&A on its website, Three Mobile says "upgrade fraud of this type is an ongoing industry issue." Three has been notifying customers via text message, who have been advised to change their account passwords.
Three Mobile says it has also notified regulators. The company has already been hit with some criticism for waiting too long to notify customers, according to The Daily Telegraph. Three Mobile responded to queries about the breach on Twitter and news stories popped up before the company published information on its website.
Three Arrests Made
Dyson writes that the company has been working closely with law enforcement, which has made three arrests.
The BBC reported the National Crime Agency arrested a 48-year-old man from Kent and two men from greater Manchester. All were released on bail. A Three Mobile spokesman told the broadcaster that the online fraud came concurrently with a spike in burglaries of retail stores, which has so far caused the loss of 400 phones.
Mobile phones are an attractive item to steal, as the resale value can be high and the devices can be easy to offload.
TalkTalk Update
Three Mobile's breach comes just a month after regulators levied a record fine against the London-based mobile and broadband provider formerly known as TalkTalk. Six suspects, nearly all teenagers, were arrested in connection with attempts to try to blackmail the company.
The week-long cyberattack in October 2015 allowed the attackers to access names, birthdates, addresses, phone numbers and email addresses for 156,959 TalkTalk customers. Bank account details and sort codes were exposed for 15,656 accounts, according to the Information Commissioner's Office.
TalkTalk was stung last month with a £400,000 fine, the largest-ever penalty from the ICO (see TalkTalk Slammed with Record Fine Over Breach).
TalkTalk's vulnerabilities stemmed from weak infrastructure that fell under its wing with its acquisition of Tiscali UK in 2009. The ICO found the attackers used SQL injection flaws in web pages that were part of Tiscali's infrastructure.
SQL injection is a technique where malicious commands are inputted into web-based forms. SQL databases may respond to those commands and reveal sensitive data if not securely configured. The TalkTalk attackers managed to reach a customer database, which was outdated and no longer supported by the manufacturer, the ICO says.