Three’s CEO, David Dyson, has admitted that there has been a massive security breach, potentially affecting around six of their nine million mobile phone customers.
As a Three customer myself, I was mortified to hear of the news. Without delay, I changed my password… not that I think this would make a huge difference since the damage has already been done.
Nature of the cyber-hack
Three Mobile are the latest tech company in the line-up to have fallen victim to cyber-hackers. A cyber-hacker allegedly accessed the customer upgrade database by using an employee’s login details, and it is thought that six million customers’ personal details have been put at risk.
Mr Dyson confirmed that 133,827 accounts were directly hacked…
No bank details accessed
To give their customers some assurance, Three’s spokesperson said that the system – which contains personal information of customers who are looking for an upgrade – doesn’t include any customer payment details or sensitive bank details. Instead, the expose ‘only’ included customer names, physical addresses, phone numbers, and dates of birth.
Although the cyber-hackers reportedly didn’t have access to any sensitive bank information, I still feel vulnerable and exposed to what they could do with my information.
Others may feel the same as well.
TalkTalk breach
This should be a wake-up call for companies to buckle up their ideas or they’ll be putting their customers at a huge data protection risk.
If the TalkTalk cyber-hack is anything to go by, Three could be in serious trouble.
The TalkTalk cyber-hack that took place last year involved 157,000 customer accounts being accessed. The telecoms giant reprtedly failed to have adequate security in place to fend off the attack, consequently landing them with a £400,000 fine from the Information Commissioner’s Office (ICO).
This should have been a warning sign – not a wake-up call – for Three.
Investigations
Three’s spokesperson also confirmed that there has been a significant increase in attempted phone fraud over the past month. Investigations are well under way, and the National Crime Agency (NCA) has already arrested two men on suspicion of computer misuse, and another for attempting to pervert the course of justice.
But the focus on this blog isn’t to do with the wrongdoers as such – it’s to highlight that companies must do more to protect customers’ personal details, and this is the concern for many security experts across the country.
As a reaction to the cyber-hack, Three has released a statement to say that investigations are ongoing, and they have taken a number of steps to strengthen their defences. They’ve issued an apology to their nine million customers and pledged to enhance security “as an additional precaution” for those who have been affected. But what about the ones who weren’t as affected by the attack? Is Three forgetting about the rest of them?
Under pressure
There is pressure on companies and organisations from data protection authorities and the government to take responsibility for enhancing security protection. Earlier this month, Chancellor of the Exchequer Philip Hammond said that companies hold this duty to protect their customers under the Data Protection Act. There has been a sharp increase in cyber-hacks in recent years, with several high-profile breaches with the likes of TalkTalk and Yahoo.
This is reflected in the Office for National Statistics.
Mr Hammond is aware that these kinds of data breaches can jeopardise the economy, as large data breaches can hit the company’s own purse. He said that “trust in the internet and the infrastructure on which it relies is fundamental to our economic future”. He highlights the importance of the trust we place on companies and the internet, and the least a company can do is to reciprocate that trust.
If the ICO finds that Three didn’t do enough to protect their customers, they can impose a penalty of up to £500,000.
With the EU General Data Protection Regulation looming, companies may be fined up to 20 million Euros, or 4 per cent of their global annual turnover. If companies and organisations don’t want to be subject to these penalties, I suggest they better review their cybersecurity, and fast.