It revealed that hackers successfully accessed its customer upgrade database after using an employee login, and those customer’s names, phone numbers, addresses and dates of birth – but not financial information – are at risk. It’s since been reported that three people have been arrested. This data breach follows a similar hack at TalkTalk in which it lost 101,000 customers and £60 million as a result.
Andrew Bushby, UK director at Fidelis Cybersecurity, offers the following comment: “The breach of Three will likely cause huge concern for millions of its customers across the UK. The fact that it was the customer upgrade database that was accessed means that customers are not ‘locked’ into a contract, which was one of the major concerns with the TalkTalk breach. While TalkTalk customers had their financial information stolen, the Three database accessed did not include payment, card or bank details; it included personal information such as names, phone numbers, addresses and dates of birth. This is still just as worrying, not least because personal data such as this can often appear on the dark web for hackers to access.
“I applaud Three and the police for moving quickly in communicating the breach and identifying the perpetrators. Having seen the repercussions of the TalkTalk breach – which cost the company 101,000 customers and £60 million – Three will likely be doing everything in its power to limit the damage of its breach in terms of reputation and monetary. Indeed, the potential damage is considerable for Three in terms of how much it could impact the business. It serves as a reminder to companies to take appropriate measures, for example by ensuring that customer data is encrypted, as well as by using technology that gives them full visibility into both the network and endpoints, so that attackers can be detected and stopped in their tracks.”
Greg Hanson, vice president worldwide consulting, Informatica said, “The Three data breach highlights the urgency with which companies must address the state of their data security. All data must be protected, wherever it is stored and whatever form it takes. In this case the attackers gained access with a valid login - a clear indication that companies must expand their definition of sensitive data if they are to safeguard this kind of key information.
“Companies must move away from a damage-control mindset to a deep understanding of their sensitive information, so that they can implement data-centric security and protect it wherever it moves in the organisation. Unless companies understand exactly where their valuable assets originate, proliferate and reside, it is extremely likely that they will lose control of that data. And as the Three breach proves, companies must even prepare for an attack from the inside.”
Ian Jackson, managing director at Imerja added “Another week, another data breach. While it’s encouraging to see the National Crime Agency make arrests, the sophistication of this operation shows what businesses are up against. Hackers are rarely speculative, typically well-structured and incredibly targeted in their approach, and these are often the most difficult attacks to defend against.
“Earlier this month we welcomed the government’s Cyber Security Strategy as a positive step towards making the UK as a whole more secure. But we can’t just rely on the policy makers. Companies must take responsibility and be proactive to protect themselves from becoming victims of this rapidly growing issue.”