Statement from Three CEO David Dyson
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.
Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts.
We have been working closely with law enforcement agencies on this matter and three arrests have been made.
I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise.
What has happened?
Criminals gained access to Three’s upgrade system using authorised log-ins. They did this to get access to mobile devices unlawfully to sell on.
We believe the primary purpose of this activity was not to steal customer information but was criminal activity to acquire new handsets fraudulently. However, as part of this attempt, the criminals did obtain some of our customer’s personal details.
What information has been obtained?
Our investigation of the upgrade system shows that for 107,102 customers, the following information could have been obtained:
Whether they are a handset or SIM only customer, contract start and end date, handset type, Three account number, how long they’ve been with Three, whether the bill is paid by cash or card, billing date and name.
For a further 26,725 customers the following information could have been obtained:
Name, address, date of birth, gender, handset type, contract start and end date, whether they are a handset or SIM only customer, telephone number, email address, previous address, marital status, employment status, Three account number and phone number and how long they’ve been with Three.
We will contact each affected customer today and advise them which category they fall into.
For the avoidance of doubt, no financial information, bank details, payment information, passwords or pin numbers were viewed or obtained.
What action should customers take at this point?
We will be proactively contacting affected customers to support them.
We ask customers to be cautious about anyone contacting them. If it is a call from Three and you are in any doubt that it is genuine, call us back via 333 from your Three mobile. We advise the same for other service providers.
As always, customers should never give out any banking information.
How will a customer know if they have been affected?
We are contacting all affected customers today.
Notes to Editors
Three Corporate PR team
07454 959 715